diff options
| author | Filipe Manana <fdmanana@suse.com> | 2026-02-26 23:41:07 +0000 |
|---|---|---|
| committer | David Sterba <dsterba@suse.com> | 2026-03-03 17:03:59 +0100 |
| commit | 87f2c46003fce4d739138aab4af1942b1afdadac (patch) | |
| tree | 168cdee57669b7914a2b9c69cd6a7cf8af0ef159 /tools/lib/python/kdoc | |
| parent | e1b18b959025e6b5dbad668f391f65d34b39595a (diff) | |
| download | linux-87f2c46003fce4d739138aab4af1942b1afdadac.tar.gz linux-87f2c46003fce4d739138aab4af1942b1afdadac.zip | |
btrfs: fix transaction abort on set received ioctl due to item overflow
If the set received ioctl fails due to an item overflow when attempting to
add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction
since we did some metadata updates before.
This means that if a user calls this ioctl with the same received UUID
field for a lot of subvolumes, we will hit the overflow, trigger the
transaction abort and turn the filesystem into RO mode. A malicious user
could exploit this, and this ioctl does not even requires that a user
has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume.
Fix this by doing an early check for item overflow before starting a
transaction. This is also race safe because we are holding the subvol_sem
semaphore in exclusive (write) mode.
A test case for fstests will follow soon.
Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree")
CC: stable@vger.kernel.org # 3.12+
Reviewed-by: Anand Jain <asj@kernel.org>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Diffstat (limited to 'tools/lib/python/kdoc')
0 files changed, 0 insertions, 0 deletions