From: Greg Kroah-Hartman Date: Mon, 13 Apr 2026 15:38:34 +0000 (+0200) Subject: drop some 5.10 btrfs patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b8b1e4ca2922750a6a901178a741b0481d2950b8;p=thirdparty%2Fkernel%2Fstable-queue.git drop some 5.10 btrfs patches --- diff --git a/queue-5.10/btrfs-fix-transaction-abort-on-set-received-ioctl-du.patch b/queue-5.10/btrfs-fix-transaction-abort-on-set-received-ioctl-du.patch deleted file mode 100644 index 7761fb8f08..0000000000 --- a/queue-5.10/btrfs-fix-transaction-abort-on-set-received-ioctl-du.patch +++ /dev/null @@ -1,147 +0,0 @@ -From 59da1e3ff3cc66b5dff4936e1209e1b93f647984 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 6 Apr 2026 09:02:32 -0400 -Subject: btrfs: fix transaction abort on set received ioctl due to item - overflow - -From: Filipe Manana - -[ Upstream commit 87f2c46003fce4d739138aab4af1942b1afdadac ] - -If the set received ioctl fails due to an item overflow when attempting to -add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction -since we did some metadata updates before. - -This means that if a user calls this ioctl with the same received UUID -field for a lot of subvolumes, we will hit the overflow, trigger the -transaction abort and turn the filesystem into RO mode. A malicious user -could exploit this, and this ioctl does not even requires that a user -has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume. - -Fix this by doing an early check for item overflow before starting a -transaction. This is also race safe because we are holding the subvol_sem -semaphore in exclusive (write) mode. - -A test case for fstests will follow soon. - -Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree") -CC: stable@vger.kernel.org # 3.12+ -Reviewed-by: Anand Jain -Signed-off-by: Filipe Manana -Reviewed-by: David Sterba -Signed-off-by: David Sterba -Signed-off-by: Sasha Levin ---- - fs/btrfs/ctree.h | 2 ++ - fs/btrfs/ioctl.c | 21 +++++++++++++++++++-- - fs/btrfs/uuid-tree.c | 42 ++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 63 insertions(+), 2 deletions(-) - -diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h -index a9926fb10c491..c395035980eef 100644 ---- a/fs/btrfs/ctree.h -+++ b/fs/btrfs/ctree.h -@@ -2870,6 +2870,8 @@ int btrfs_uuid_tree_add(struct btrfs_trans_handle *trans, u8 *uuid, u8 type, - int btrfs_uuid_tree_remove(struct btrfs_trans_handle *trans, u8 *uuid, u8 type, - u64 subid); - int btrfs_uuid_tree_iterate(struct btrfs_fs_info *fs_info); -+int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info, -+ u8 *uuid, u8 type); - - /* dir-item.c */ - int btrfs_check_dir_item_collision(struct btrfs_root *root, u64 dir, -diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c -index 574a00db258a0..3712396c3f8a0 100644 ---- a/fs/btrfs/ioctl.c -+++ b/fs/btrfs/ioctl.c -@@ -4486,6 +4486,25 @@ static long _btrfs_ioctl_set_received_subvol(struct file *file, - goto out; - } - -+ received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid, -+ BTRFS_UUID_SIZE); -+ -+ /* -+ * Before we attempt to add the new received uuid, check if we have room -+ * for it in case there's already an item. If the size of the existing -+ * item plus this root's ID (u64) exceeds the maximum item size, we can -+ * return here without the need to abort a transaction. If we don't do -+ * this check, the btrfs_uuid_tree_add() call below would fail with -+ * -EOVERFLOW and result in a transaction abort. Malicious users could -+ * exploit this to turn the fs into RO mode. -+ */ -+ if (received_uuid_changed && !btrfs_is_empty_uuid(sa->uuid)) { -+ ret = btrfs_uuid_tree_check_overflow(fs_info, sa->uuid, -+ BTRFS_UUID_KEY_RECEIVED_SUBVOL); -+ if (ret < 0) -+ goto out; -+ } -+ - /* - * 1 - root item - * 2 - uuid items (received uuid + subvol uuid) -@@ -4501,8 +4520,6 @@ static long _btrfs_ioctl_set_received_subvol(struct file *file, - sa->rtime.sec = ct.tv_sec; - sa->rtime.nsec = ct.tv_nsec; - -- received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid, -- BTRFS_UUID_SIZE); - if (received_uuid_changed && - !btrfs_is_empty_uuid(root_item->received_uuid)) { - ret = btrfs_uuid_tree_remove(trans, root_item->received_uuid, -diff --git a/fs/btrfs/uuid-tree.c b/fs/btrfs/uuid-tree.c -index 28525ad7ff8cb..d40e1731b570e 100644 ---- a/fs/btrfs/uuid-tree.c -+++ b/fs/btrfs/uuid-tree.c -@@ -226,6 +226,48 @@ int btrfs_uuid_tree_remove(struct btrfs_trans_handle *trans, u8 *uuid, u8 type, - return ret; - } - -+/* -+ * Check if we can add one root ID to a UUID key. -+ * If the key does not yet exists, we can, otherwise only if extended item does -+ * not exceeds the maximum item size permitted by the leaf size. -+ * -+ * Returns 0 on success, negative value on error. -+ */ -+int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info, -+ u8 *uuid, u8 type) -+{ -+ struct btrfs_path *path = NULL; -+ int ret; -+ u32 item_size; -+ struct btrfs_key key; -+ -+ if (WARN_ON_ONCE(!fs_info->uuid_root)) -+ return -EINVAL; -+ -+ path = btrfs_alloc_path(); -+ if (!path) -+ return -ENOMEM; -+ -+ btrfs_uuid_to_key(uuid, type, &key); -+ ret = btrfs_search_slot(NULL, fs_info->uuid_root, &key, path, 0, 0); -+ if (ret < 0) -+ goto out; -+ if (ret > 0) { -+ ret = 0; -+ goto out; -+ } -+ -+ item_size = btrfs_item_size_nr(path->nodes[0], path->slots[0]); -+ -+ if (sizeof(struct btrfs_item) + item_size + sizeof(u64) > -+ BTRFS_LEAF_DATA_SIZE(fs_info)) -+ ret = -EOVERFLOW; -+ -+out: -+ btrfs_free_path(path); -+ return ret; -+} -+ - static int btrfs_uuid_iter_rem(struct btrfs_root *uuid_root, u8 *uuid, u8 type, - u64 subid) - { --- -2.53.0 - diff --git a/queue-5.10/btrfs-fix-transaction-abort-on-set-received-ioctl-due-to-item-overflow.patch b/queue-5.10/btrfs-fix-transaction-abort-on-set-received-ioctl-due-to-item-overflow.patch deleted file mode 100644 index a047367331..0000000000 --- a/queue-5.10/btrfs-fix-transaction-abort-on-set-received-ioctl-due-to-item-overflow.patch +++ /dev/null @@ -1,146 +0,0 @@ -From stable+bounces-227402-greg=kroah.com@vger.kernel.org Fri Mar 20 01:17:13 2026 -From: Sasha Levin -Date: Thu, 19 Mar 2026 20:17:04 -0400 -Subject: btrfs: fix transaction abort on set received ioctl due to item overflow -To: stable@vger.kernel.org -Cc: Filipe Manana , Anand Jain , David Sterba , Sasha Levin -Message-ID: <20260320001704.3248188-1-sashal@kernel.org> - -From: Filipe Manana - -[ Upstream commit 87f2c46003fce4d739138aab4af1942b1afdadac ] - -If the set received ioctl fails due to an item overflow when attempting to -add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction -since we did some metadata updates before. - -This means that if a user calls this ioctl with the same received UUID -field for a lot of subvolumes, we will hit the overflow, trigger the -transaction abort and turn the filesystem into RO mode. A malicious user -could exploit this, and this ioctl does not even requires that a user -has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume. - -Fix this by doing an early check for item overflow before starting a -transaction. This is also race safe because we are holding the subvol_sem -semaphore in exclusive (write) mode. - -A test case for fstests will follow soon. - -Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree") -CC: stable@vger.kernel.org # 3.12+ -Reviewed-by: Anand Jain -Signed-off-by: Filipe Manana -Reviewed-by: David Sterba -Signed-off-by: David Sterba -[ A whole bunch of small things :) ] -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/ctree.h | 2 ++ - fs/btrfs/ioctl.c | 21 +++++++++++++++++++-- - fs/btrfs/uuid-tree.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 67 insertions(+), 2 deletions(-) - ---- a/fs/btrfs/ctree.h -+++ b/fs/btrfs/ctree.h -@@ -2869,6 +2869,8 @@ int btrfs_uuid_tree_add(struct btrfs_tra - u64 subid); - int btrfs_uuid_tree_remove(struct btrfs_trans_handle *trans, u8 *uuid, u8 type, - u64 subid); -+int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info, -+ u8 *uuid, u8 type); - int btrfs_uuid_tree_iterate(struct btrfs_fs_info *fs_info); - - /* dir-item.c */ ---- a/fs/btrfs/ioctl.c -+++ b/fs/btrfs/ioctl.c -@@ -4486,6 +4486,25 @@ static long _btrfs_ioctl_set_received_su - goto out; - } - -+ received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid, -+ BTRFS_UUID_SIZE); -+ -+ /* -+ * Before we attempt to add the new received uuid, check if we have room -+ * for it in case there's already an item. If the size of the existing -+ * item plus this root's ID (u64) exceeds the maximum item size, we can -+ * return here without the need to abort a transaction. If we don't do -+ * this check, the btrfs_uuid_tree_add() call below would fail with -+ * -EOVERFLOW and result in a transaction abort. Malicious users could -+ * exploit this to turn the fs into RO mode. -+ */ -+ if (received_uuid_changed && !btrfs_is_empty_uuid(sa->uuid)) { -+ ret = btrfs_uuid_tree_check_overflow(fs_info, sa->uuid, -+ BTRFS_UUID_KEY_RECEIVED_SUBVOL); -+ if (ret < 0) -+ goto out; -+ } -+ - /* - * 1 - root item - * 2 - uuid items (received uuid + subvol uuid) -@@ -4501,8 +4520,6 @@ static long _btrfs_ioctl_set_received_su - sa->rtime.sec = ct.tv_sec; - sa->rtime.nsec = ct.tv_nsec; - -- received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid, -- BTRFS_UUID_SIZE); - if (received_uuid_changed && - !btrfs_is_empty_uuid(root_item->received_uuid)) { - ret = btrfs_uuid_tree_remove(trans, root_item->received_uuid, ---- a/fs/btrfs/uuid-tree.c -+++ b/fs/btrfs/uuid-tree.c -@@ -226,6 +226,52 @@ out: - return ret; - } - -+/* -+ * Check if we can add one root ID to a UUID key. -+ * If the key does not yet exists, we can, otherwise only if extended item does -+ * not exceeds the maximum item size permitted by the leaf size. -+ * -+ * Returns 0 on success, negative value on error. -+ */ -+int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info, -+ u8 *uuid, u8 type) -+{ -+ struct btrfs_path *path = NULL; -+ int ret; -+ u32 item_size; -+ struct btrfs_key key; -+ -+ if (WARN_ON_ONCE(!fs_info->uuid_root)) { -+ ret = -EINVAL; -+ goto out; -+ } -+ -+ path = btrfs_alloc_path(); -+ if (!path) { -+ ret = -ENOMEM; -+ goto out; -+ } -+ -+ btrfs_uuid_to_key(uuid, type, &key); -+ ret = btrfs_search_slot(NULL, fs_info->uuid_root, &key, path, 0, 0); -+ if (ret < 0) -+ goto out; -+ if (ret > 0) { -+ ret = 0; -+ goto out; -+ } -+ -+ item_size = btrfs_item_size(path->nodes[0], path->slots[0]); -+ -+ if (sizeof(struct btrfs_item) + item_size + sizeof(u64) > -+ BTRFS_LEAF_DATA_SIZE(fs_info)) -+ ret = -EOVERFLOW; -+ -+out: -+ btrfs_free_path(path); -+ return ret; -+} -+ - static int btrfs_uuid_iter_rem(struct btrfs_root *uuid_root, u8 *uuid, u8 type, - u64 subid) - { diff --git a/queue-5.10/btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch b/queue-5.10/btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch deleted file mode 100644 index e6f15de4b5..0000000000 --- a/queue-5.10/btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch +++ /dev/null @@ -1,174 +0,0 @@ -From stable+bounces-227367-greg=kroah.com@vger.kernel.org Thu Mar 19 19:38:35 2026 -From: Sasha Levin -Date: Thu, 19 Mar 2026 14:34:41 -0400 -Subject: btrfs: fix transaction abort when snapshotting received subvolumes -To: stable@vger.kernel.org -Cc: Filipe Manana , Boris Burkov , Qu Wenruo , David Sterba , Sasha Levin -Message-ID: <20260319183441.2928953-1-sashal@kernel.org> - -From: Filipe Manana - -[ Upstream commit e1b18b959025e6b5dbad668f391f65d34b39595a ] - -Currently a user can trigger a transaction abort by snapshotting a -previously received snapshot a bunch of times until we reach a -BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we -can store in a leaf). This is very likely not common in practice, but -if it happens, it turns the filesystem into RO mode. The snapshot, send -and set_received_subvol and subvol_setflags (used by receive) don't -require CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user -could use this to turn a filesystem into RO mode and disrupt a system. - -Reproducer script: - - $ cat test.sh - #!/bin/bash - - DEV=/dev/sdi - MNT=/mnt/sdi - - # Use smallest node size to make the test faster. - mkfs.btrfs -f --nodesize 4K $DEV - mount $DEV $MNT - - # Create a subvolume and set it to RO so that it can be used for send. - btrfs subvolume create $MNT/sv - touch $MNT/sv/foo - btrfs property set $MNT/sv ro true - - # Send and receive the subvolume into snaps/sv. - mkdir $MNT/snaps - btrfs send $MNT/sv | btrfs receive $MNT/snaps - - # Now snapshot the received subvolume, which has a received_uuid, a - # lot of times to trigger the leaf overflow. - total=500 - for ((i = 1; i <= $total; i++)); do - echo -ne "\rCreating snapshot $i/$total" - btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null - done - echo - - umount $MNT - -When running the test: - - $ ./test.sh - (...) - Create subvolume '/mnt/sdi/sv' - At subvol /mnt/sdi/sv - At subvol sv - Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type - Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system - Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system - Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system - Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system - -And in dmesg/syslog: - - $ dmesg - (...) - [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252! - [251067.629212] ------------[ cut here ]------------ - [251067.630033] BTRFS: Transaction aborted (error -75) - [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235 - [251067.632851] Modules linked in: btrfs dm_zero (...) - [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full) - [251067.646165] Tainted: [W]=WARN - [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 - [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs] - [251067.649984] Code: f0 48 0f (...) - [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292 - [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3 - [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750 - [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820 - [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0 - [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5 - [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000 - [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 - [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0 - [251067.661972] Call Trace: - [251067.662292] - [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs] - [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs] - [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs] - [251067.665238] ? _raw_spin_unlock+0x15/0x30 - [251067.665837] ? record_root_in_trans+0xa2/0xd0 [btrfs] - [251067.666531] btrfs_mksubvol+0x330/0x580 [btrfs] - [251067.667145] btrfs_mksnapshot+0x74/0xa0 [btrfs] - [251067.667827] __btrfs_ioctl_snap_create+0x194/0x1d0 [btrfs] - [251067.668595] btrfs_ioctl_snap_create_v2+0x107/0x130 [btrfs] - [251067.669479] btrfs_ioctl+0x1580/0x2690 [btrfs] - [251067.670093] ? count_memcg_events+0x6d/0x180 - [251067.670849] ? handle_mm_fault+0x1a0/0x2a0 - [251067.671652] __x64_sys_ioctl+0x92/0xe0 - [251067.672406] do_syscall_64+0x50/0xf20 - [251067.673129] entry_SYSCALL_64_after_hwframe+0x76/0x7e - [251067.674096] RIP: 0033:0x7f2a495648db - [251067.674812] Code: 00 48 89 (...) - [251067.678227] RSP: 002b:00007ffc5aa57840 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 - [251067.679691] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f2a495648db - [251067.681145] RDX: 00007ffc5aa588b0 RSI: 0000000050009417 RDI: 0000000000000004 - [251067.682511] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 - [251067.683842] R10: 000000000000000a R11: 0000000000000246 R12: 00007ffc5aa59910 - [251067.685176] R13: 00007ffc5aa588b0 R14: 0000000000000004 R15: 0000000000000006 - [251067.686524] - [251067.686972] ---[ end trace 0000000000000000 ]--- - [251067.687890] BTRFS: error (device sdi state A) in create_pending_snapshot:1907: errno=-75 unknown - [251067.689049] BTRFS info (device sdi state EA): forced readonly - [251067.689054] BTRFS warning (device sdi state EA): Skipping commit of aborted transaction. - [251067.690119] BTRFS: error (device sdi state EA) in cleanup_transaction:2043: errno=-75 unknown - [251067.702028] BTRFS info (device sdi state EA): last unmount of filesystem 46dc3975-30a2-4a69-a18f-418b859cccda - -Fix this by ignoring -EOVERFLOW errors from btrfs_uuid_tree_add() in the -snapshot creation code when attempting to add the -BTRFS_UUID_KEY_RECEIVED_SUBVOL item. This is OK because it's not critical -and we are still able to delete the snapshot, as snapshot/subvolume -deletion ignores if a BTRFS_UUID_KEY_RECEIVED_SUBVOL is missing (see -inode.c:btrfs_delete_subvolume()). As for send/receive, we can still do -send/receive operations since it always peeks the first root ID in the -existing BTRFS_UUID_KEY_RECEIVED_SUBVOL (it could peek any since all -snapshots have the same content), and even if the key is missing, it -falls back to searching by BTRFS_UUID_KEY_SUBVOL key. - -A test case for fstests will be sent soon. - -Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree") -CC: stable@vger.kernel.org # 3.12+ -Reviewed-by: Boris Burkov -Reviewed-by: Qu Wenruo -Signed-off-by: Filipe Manana -Reviewed-by: David Sterba -Signed-off-by: David Sterba -[ adapted error check condition to omit unlikely() wrapper ] -Signed-off-by: Sasha Levin -Signed-off-by: Greg Kroah-Hartman ---- - fs/btrfs/transaction.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - ---- a/fs/btrfs/transaction.c -+++ b/fs/btrfs/transaction.c -@@ -1748,6 +1748,22 @@ static noinline int create_pending_snaps - ret = btrfs_uuid_tree_add(trans, new_root_item->received_uuid, - BTRFS_UUID_KEY_RECEIVED_SUBVOL, - objectid); -+ /* -+ * We are creating of lot of snapshots of the same root that was -+ * received (has a received UUID) and reached a leaf's limit for -+ * an item. We can safely ignore this and avoid a transaction -+ * abort. A deletion of this snapshot will still work since we -+ * ignore if an item with a BTRFS_UUID_KEY_RECEIVED_SUBVOL key -+ * is missing (see btrfs_delete_subvolume()). Send/receive will -+ * work too since it peeks the first root id from the existing -+ * item (it could peek any), and in case it's missing it -+ * falls back to search by BTRFS_UUID_KEY_SUBVOL keys. -+ * Creation of a snapshot does not require CAP_SYS_ADMIN, so -+ * we don't want users triggering transaction aborts, either -+ * intentionally or not. -+ */ -+ if (ret == -EOVERFLOW) -+ ret = 0; - if (ret && ret != -EEXIST) { - btrfs_abort_transaction(trans, ret); - goto fail; diff --git a/queue-5.10/revert-btrfs-fix-transaction-abort-on-set-received-i.patch b/queue-5.10/revert-btrfs-fix-transaction-abort-on-set-received-i.patch deleted file mode 100644 index 6c4c6436d0..0000000000 --- a/queue-5.10/revert-btrfs-fix-transaction-abort-on-set-received-i.patch +++ /dev/null @@ -1,127 +0,0 @@ -From bfe3c6804c83ddaade6f882277e363dadd75ac0c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 6 Apr 2026 08:55:23 -0400 -Subject: Revert "btrfs: fix transaction abort on set received ioctl due to - item overflow" - -This reverts commit 20b9a8d6f7ff4dc7dff3fdcba51730caa536a2de. - -Signed-off-by: Sasha Levin ---- - fs/btrfs/ctree.h | 2 -- - fs/btrfs/ioctl.c | 21 ++------------------ - fs/btrfs/uuid-tree.c | 46 -------------------------------------------- - 3 files changed, 2 insertions(+), 67 deletions(-) - -diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h -index 15affee7c6d11..a9926fb10c491 100644 ---- a/fs/btrfs/ctree.h -+++ b/fs/btrfs/ctree.h -@@ -2869,8 +2869,6 @@ int btrfs_uuid_tree_add(struct btrfs_trans_handle *trans, u8 *uuid, u8 type, - u64 subid); - int btrfs_uuid_tree_remove(struct btrfs_trans_handle *trans, u8 *uuid, u8 type, - u64 subid); --int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info, -- u8 *uuid, u8 type); - int btrfs_uuid_tree_iterate(struct btrfs_fs_info *fs_info); - - /* dir-item.c */ -diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c -index 3712396c3f8a0..574a00db258a0 100644 ---- a/fs/btrfs/ioctl.c -+++ b/fs/btrfs/ioctl.c -@@ -4486,25 +4486,6 @@ static long _btrfs_ioctl_set_received_subvol(struct file *file, - goto out; - } - -- received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid, -- BTRFS_UUID_SIZE); -- -- /* -- * Before we attempt to add the new received uuid, check if we have room -- * for it in case there's already an item. If the size of the existing -- * item plus this root's ID (u64) exceeds the maximum item size, we can -- * return here without the need to abort a transaction. If we don't do -- * this check, the btrfs_uuid_tree_add() call below would fail with -- * -EOVERFLOW and result in a transaction abort. Malicious users could -- * exploit this to turn the fs into RO mode. -- */ -- if (received_uuid_changed && !btrfs_is_empty_uuid(sa->uuid)) { -- ret = btrfs_uuid_tree_check_overflow(fs_info, sa->uuid, -- BTRFS_UUID_KEY_RECEIVED_SUBVOL); -- if (ret < 0) -- goto out; -- } -- - /* - * 1 - root item - * 2 - uuid items (received uuid + subvol uuid) -@@ -4520,6 +4501,8 @@ static long _btrfs_ioctl_set_received_subvol(struct file *file, - sa->rtime.sec = ct.tv_sec; - sa->rtime.nsec = ct.tv_nsec; - -+ received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid, -+ BTRFS_UUID_SIZE); - if (received_uuid_changed && - !btrfs_is_empty_uuid(root_item->received_uuid)) { - ret = btrfs_uuid_tree_remove(trans, root_item->received_uuid, -diff --git a/fs/btrfs/uuid-tree.c b/fs/btrfs/uuid-tree.c -index aee89c7293f65..28525ad7ff8cb 100644 ---- a/fs/btrfs/uuid-tree.c -+++ b/fs/btrfs/uuid-tree.c -@@ -226,52 +226,6 @@ int btrfs_uuid_tree_remove(struct btrfs_trans_handle *trans, u8 *uuid, u8 type, - return ret; - } - --/* -- * Check if we can add one root ID to a UUID key. -- * If the key does not yet exists, we can, otherwise only if extended item does -- * not exceeds the maximum item size permitted by the leaf size. -- * -- * Returns 0 on success, negative value on error. -- */ --int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info, -- u8 *uuid, u8 type) --{ -- struct btrfs_path *path = NULL; -- int ret; -- u32 item_size; -- struct btrfs_key key; -- -- if (WARN_ON_ONCE(!fs_info->uuid_root)) { -- ret = -EINVAL; -- goto out; -- } -- -- path = btrfs_alloc_path(); -- if (!path) { -- ret = -ENOMEM; -- goto out; -- } -- -- btrfs_uuid_to_key(uuid, type, &key); -- ret = btrfs_search_slot(NULL, fs_info->uuid_root, &key, path, 0, 0); -- if (ret < 0) -- goto out; -- if (ret > 0) { -- ret = 0; -- goto out; -- } -- -- item_size = btrfs_item_size(path->nodes[0], path->slots[0]); -- -- if (sizeof(struct btrfs_item) + item_size + sizeof(u64) > -- BTRFS_LEAF_DATA_SIZE(fs_info)) -- ret = -EOVERFLOW; -- --out: -- btrfs_free_path(path); -- return ret; --} -- - static int btrfs_uuid_iter_rem(struct btrfs_root *uuid_root, u8 *uuid, u8 type, - u64 subid) - { --- -2.53.0 - diff --git a/queue-5.10/series b/queue-5.10/series index f02315f5cd..c19fbefae9 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -171,8 +171,6 @@ iomap-reject-delalloc-mappings-during-writeback.patch tracing-fix-syscall-events-activation-by-ensuring-refcount-hits-zero.patch pmdomain-bcm-bcm2835-power-fix-broken-reset-status-read.patch iio-light-bh1780-fix-pm-runtime-leak-on-error-path.patch -btrfs-fix-transaction-abort-on-set-received-ioctl-due-to-item-overflow.patch -btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch smb-client-fix-atomic-open-with-o_direct-o_sync.patch smb-client-fix-iface-port-assignment-in-parse_server_interfaces.patch s390-zcrypt-enable-autosel_dom-for-cca-serialnr-sysfs-attribute.patch @@ -354,8 +352,6 @@ net-sched-cls_fw-fix-null-pointer-dereference-on-sha.patch net-sched-cls_flow-fix-null-pointer-dereference-on-s.patch ipv6-avoid-overflows-in-ip6_datagram_send_ctl.patch efi-mokvar-table-avoid-repeated-map-unmap-of-the-sam.patch -revert-btrfs-fix-transaction-abort-on-set-received-i.patch -btrfs-fix-transaction-abort-on-set-received-ioctl-du.patch revert-drm-vmwgfx-add-seqno-waiter-for-sync_files.patch drm-vmwgfx-add-seqno-waiter-for-sync_files.patch-18451 revert-scsi-core-wake-up-the-error-handler-when-fina.patch