CVE-2024-26644

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: don&amp;#39;t abort filesystem when attempting to snapshot deleted subvolume<br /> <br /> If the source file descriptor to the snapshot ioctl refers to a deleted<br /> subvolume, we get the following abort:<br /> <br /> BTRFS: Transaction aborted (error -2)<br /> WARNING: CPU: 0 PID: 833 at fs/btrfs/transaction.c:1875 create_pending_snapshot+0x1040/0x1190 [btrfs]<br /> Modules linked in: pata_acpi btrfs ata_piix libata scsi_mod virtio_net blake2b_generic xor net_failover virtio_rng failover scsi_common rng_core raid6_pq libcrc32c<br /> CPU: 0 PID: 833 Comm: t_snapshot_dele Not tainted 6.7.0-rc6 #2<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014<br /> RIP: 0010:create_pending_snapshot+0x1040/0x1190 [btrfs]<br /> RSP: 0018:ffffa09c01337af8 EFLAGS: 00010282<br /> RAX: 0000000000000000 RBX: ffff9982053e7c78 RCX: 0000000000000027<br /> RDX: ffff99827dc20848 RSI: 0000000000000001 RDI: ffff99827dc20840<br /> RBP: ffffa09c01337c00 R08: 0000000000000000 R09: ffffa09c01337998<br /> R10: 0000000000000003 R11: ffffffffb96da248 R12: fffffffffffffffe<br /> R13: ffff99820535bb28 R14: ffff99820b7bd000 R15: ffff99820381ea80<br /> FS: 00007fe20aadabc0(0000) GS:ffff99827dc00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000559a120b502f CR3: 00000000055b6000 CR4: 00000000000006f0<br /> Call Trace:<br /> <br /> ? create_pending_snapshot+0x1040/0x1190 [btrfs]<br /> ? __warn+0x81/0x130<br /> ? create_pending_snapshot+0x1040/0x1190 [btrfs]<br /> ? report_bug+0x171/0x1a0<br /> ? handle_bug+0x3a/0x70<br /> ? exc_invalid_op+0x17/0x70<br /> ? asm_exc_invalid_op+0x1a/0x20<br /> ? create_pending_snapshot+0x1040/0x1190 [btrfs]<br /> ? create_pending_snapshot+0x1040/0x1190 [btrfs]<br /> create_pending_snapshots+0x92/0xc0 [btrfs]<br /> btrfs_commit_transaction+0x66b/0xf40 [btrfs]<br /> btrfs_mksubvol+0x301/0x4d0 [btrfs]<br /> btrfs_mksnapshot+0x80/0xb0 [btrfs]<br /> __btrfs_ioctl_snap_create+0x1c2/0x1d0 [btrfs]<br /> btrfs_ioctl_snap_create_v2+0xc4/0x150 [btrfs]<br /> btrfs_ioctl+0x8a6/0x2650 [btrfs]<br /> ? kmem_cache_free+0x22/0x340<br /> ? do_sys_openat2+0x97/0xe0<br /> __x64_sys_ioctl+0x97/0xd0<br /> do_syscall_64+0x46/0xf0<br /> entry_SYSCALL_64_after_hwframe+0x6e/0x76<br /> RIP: 0033:0x7fe20abe83af<br /> RSP: 002b:00007ffe6eff1360 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br /> RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007fe20abe83af<br /> RDX: 00007ffe6eff23c0 RSI: 0000000050009417 RDI: 0000000000000003<br /> RBP: 0000000000000003 R08: 0000000000000000 R09: 00007fe20ad16cd0<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br /> R13: 00007ffe6eff13c0 R14: 00007fe20ad45000 R15: 0000559a120b6d58<br /> <br /> ---[ end trace 0000000000000000 ]---<br /> BTRFS: error (device vdc: state A) in create_pending_snapshot:1875: errno=-2 No such entry<br /> BTRFS info (device vdc: state EA): forced readonly<br /> BTRFS warning (device vdc: state EA): Skipping commit of aborted transaction.<br /> BTRFS: error (device vdc: state EA) in cleanup_transaction:2055: errno=-2 No such entry<br /> <br /> This happens because create_pending_snapshot() initializes the new root<br /> item as a copy of the source root item. This includes the refs field,<br /> which is 0 for a deleted subvolume. The call to btrfs_insert_root()<br /> therefore inserts a root with refs == 0. btrfs_get_new_fs_root() then<br /> finds the root and returns -ENOENT if refs == 0, which causes<br /> create_pending_snapshot() to abort.<br /> <br /> Fix it by checking the source root&amp;#39;s refs before attempting the<br /> snapshot, but after locking subvol_sem to avoid racing with deletion.