CVE-2026-43338

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: reserve enough transaction items for qgroup ioctls<br /> <br /> Currently our qgroup ioctls don&amp;#39;t reserve any space, they just do a<br /> transaction join, which does not reserve any space, neither for the quota<br /> tree updates nor for the delayed refs generated when updating the quota<br /> tree. The quota root uses the global block reserve, which is fine most of<br /> the time since we don&amp;#39;t expect a lot of updates to the quota root, or to<br /> be too close to -ENOSPC such that other critical metadata updates need to<br /> resort to the global reserve.<br /> <br /> However this is not optimal, as not reserving proper space may result in a<br /> transaction abort due to not reserving space for delayed refs and then<br /> abusing the use of the global block reserve.<br /> <br /> For example, the following reproducer (which is unlikely to model any<br /> real world use case, but just to illustrate the problem), triggers such a<br /> transaction abort due to -ENOSPC when running delayed refs:<br /> <br /> $ cat test.sh<br /> #!/bin/bash<br /> <br /> DEV=/dev/nullb0<br /> MNT=/mnt/nullb0<br /> <br /> umount $DEV &amp;&gt; /dev/null<br /> # Limit device to 1G so that it&amp;#39;s much faster to reproduce the issue.<br /> mkfs.btrfs -f -b 1G $DEV<br /> mount -o commit=600 $DEV $MNT<br /> <br /> fallocate -l 800M $MNT/filler<br /> btrfs quota enable $MNT<br /> <br /> for ((i = 1; i