+++ /dev/null
-From 59da1e3ff3cc66b5dff4936e1209e1b93f647984 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 6 Apr 2026 09:02:32 -0400
-Subject: btrfs: fix transaction abort on set received ioctl due to item
- overflow
-
-From: Filipe Manana <fdmanana@suse.com>
-
-[ Upstream commit 87f2c46003fce4d739138aab4af1942b1afdadac ]
-
-If the set received ioctl fails due to an item overflow when attempting to
-add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction
-since we did some metadata updates before.
-
-This means that if a user calls this ioctl with the same received UUID
-field for a lot of subvolumes, we will hit the overflow, trigger the
-transaction abort and turn the filesystem into RO mode. A malicious user
-could exploit this, and this ioctl does not even requires that a user
-has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume.
-
-Fix this by doing an early check for item overflow before starting a
-transaction. This is also race safe because we are holding the subvol_sem
-semaphore in exclusive (write) mode.
-
-A test case for fstests will follow soon.
-
-Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree")
-CC: stable@vger.kernel.org # 3.12+
-Reviewed-by: Anand Jain <asj@kernel.org>
-Signed-off-by: Filipe Manana <fdmanana@suse.com>
-Reviewed-by: David Sterba <dsterba@suse.com>
-Signed-off-by: David Sterba <dsterba@suse.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/btrfs/ctree.h | 2 ++
- fs/btrfs/ioctl.c | 21 +++++++++++++++++++--
- fs/btrfs/uuid-tree.c | 42 ++++++++++++++++++++++++++++++++++++++++++
- 3 files changed, 63 insertions(+), 2 deletions(-)
-
-diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
-index a9926fb10c491..c395035980eef 100644
---- a/fs/btrfs/ctree.h
-+++ b/fs/btrfs/ctree.h
-@@ -2870,6 +2870,8 @@ int btrfs_uuid_tree_add(struct btrfs_trans_handle *trans, u8 *uuid, u8 type,
- int btrfs_uuid_tree_remove(struct btrfs_trans_handle *trans, u8 *uuid, u8 type,
- u64 subid);
- int btrfs_uuid_tree_iterate(struct btrfs_fs_info *fs_info);
-+int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info,
-+ u8 *uuid, u8 type);
-
- /* dir-item.c */
- int btrfs_check_dir_item_collision(struct btrfs_root *root, u64 dir,
-diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
-index 574a00db258a0..3712396c3f8a0 100644
---- a/fs/btrfs/ioctl.c
-+++ b/fs/btrfs/ioctl.c
-@@ -4486,6 +4486,25 @@ static long _btrfs_ioctl_set_received_subvol(struct file *file,
- goto out;
- }
-
-+ received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid,
-+ BTRFS_UUID_SIZE);
-+
-+ /*
-+ * Before we attempt to add the new received uuid, check if we have room
-+ * for it in case there's already an item. If the size of the existing
-+ * item plus this root's ID (u64) exceeds the maximum item size, we can
-+ * return here without the need to abort a transaction. If we don't do
-+ * this check, the btrfs_uuid_tree_add() call below would fail with
-+ * -EOVERFLOW and result in a transaction abort. Malicious users could
-+ * exploit this to turn the fs into RO mode.
-+ */
-+ if (received_uuid_changed && !btrfs_is_empty_uuid(sa->uuid)) {
-+ ret = btrfs_uuid_tree_check_overflow(fs_info, sa->uuid,
-+ BTRFS_UUID_KEY_RECEIVED_SUBVOL);
-+ if (ret < 0)
-+ goto out;
-+ }
-+
- /*
- * 1 - root item
- * 2 - uuid items (received uuid + subvol uuid)
-@@ -4501,8 +4520,6 @@ static long _btrfs_ioctl_set_received_subvol(struct file *file,
- sa->rtime.sec = ct.tv_sec;
- sa->rtime.nsec = ct.tv_nsec;
-
-- received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid,
-- BTRFS_UUID_SIZE);
- if (received_uuid_changed &&
- !btrfs_is_empty_uuid(root_item->received_uuid)) {
- ret = btrfs_uuid_tree_remove(trans, root_item->received_uuid,
-diff --git a/fs/btrfs/uuid-tree.c b/fs/btrfs/uuid-tree.c
-index 28525ad7ff8cb..d40e1731b570e 100644
---- a/fs/btrfs/uuid-tree.c
-+++ b/fs/btrfs/uuid-tree.c
-@@ -226,6 +226,48 @@ int btrfs_uuid_tree_remove(struct btrfs_trans_handle *trans, u8 *uuid, u8 type,
- return ret;
- }
-
-+/*
-+ * Check if we can add one root ID to a UUID key.
-+ * If the key does not yet exists, we can, otherwise only if extended item does
-+ * not exceeds the maximum item size permitted by the leaf size.
-+ *
-+ * Returns 0 on success, negative value on error.
-+ */
-+int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info,
-+ u8 *uuid, u8 type)
-+{
-+ struct btrfs_path *path = NULL;
-+ int ret;
-+ u32 item_size;
-+ struct btrfs_key key;
-+
-+ if (WARN_ON_ONCE(!fs_info->uuid_root))
-+ return -EINVAL;
-+
-+ path = btrfs_alloc_path();
-+ if (!path)
-+ return -ENOMEM;
-+
-+ btrfs_uuid_to_key(uuid, type, &key);
-+ ret = btrfs_search_slot(NULL, fs_info->uuid_root, &key, path, 0, 0);
-+ if (ret < 0)
-+ goto out;
-+ if (ret > 0) {
-+ ret = 0;
-+ goto out;
-+ }
-+
-+ item_size = btrfs_item_size_nr(path->nodes[0], path->slots[0]);
-+
-+ if (sizeof(struct btrfs_item) + item_size + sizeof(u64) >
-+ BTRFS_LEAF_DATA_SIZE(fs_info))
-+ ret = -EOVERFLOW;
-+
-+out:
-+ btrfs_free_path(path);
-+ return ret;
-+}
-+
- static int btrfs_uuid_iter_rem(struct btrfs_root *uuid_root, u8 *uuid, u8 type,
- u64 subid)
- {
---
-2.53.0
-
+++ /dev/null
-From stable+bounces-227402-greg=kroah.com@vger.kernel.org Fri Mar 20 01:17:13 2026
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 19 Mar 2026 20:17:04 -0400
-Subject: btrfs: fix transaction abort on set received ioctl due to item overflow
-To: stable@vger.kernel.org
-Cc: Filipe Manana <fdmanana@suse.com>, Anand Jain <asj@kernel.org>, David Sterba <dsterba@suse.com>, Sasha Levin <sashal@kernel.org>
-Message-ID: <20260320001704.3248188-1-sashal@kernel.org>
-
-From: Filipe Manana <fdmanana@suse.com>
-
-[ Upstream commit 87f2c46003fce4d739138aab4af1942b1afdadac ]
-
-If the set received ioctl fails due to an item overflow when attempting to
-add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction
-since we did some metadata updates before.
-
-This means that if a user calls this ioctl with the same received UUID
-field for a lot of subvolumes, we will hit the overflow, trigger the
-transaction abort and turn the filesystem into RO mode. A malicious user
-could exploit this, and this ioctl does not even requires that a user
-has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume.
-
-Fix this by doing an early check for item overflow before starting a
-transaction. This is also race safe because we are holding the subvol_sem
-semaphore in exclusive (write) mode.
-
-A test case for fstests will follow soon.
-
-Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree")
-CC: stable@vger.kernel.org # 3.12+
-Reviewed-by: Anand Jain <asj@kernel.org>
-Signed-off-by: Filipe Manana <fdmanana@suse.com>
-Reviewed-by: David Sterba <dsterba@suse.com>
-Signed-off-by: David Sterba <dsterba@suse.com>
-[ A whole bunch of small things :) ]
-Signed-off-by: Sasha Levin <sashal@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/btrfs/ctree.h | 2 ++
- fs/btrfs/ioctl.c | 21 +++++++++++++++++++--
- fs/btrfs/uuid-tree.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
- 3 files changed, 67 insertions(+), 2 deletions(-)
-
---- a/fs/btrfs/ctree.h
-+++ b/fs/btrfs/ctree.h
-@@ -2869,6 +2869,8 @@ int btrfs_uuid_tree_add(struct btrfs_tra
- u64 subid);
- int btrfs_uuid_tree_remove(struct btrfs_trans_handle *trans, u8 *uuid, u8 type,
- u64 subid);
-+int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info,
-+ u8 *uuid, u8 type);
- int btrfs_uuid_tree_iterate(struct btrfs_fs_info *fs_info);
-
- /* dir-item.c */
---- a/fs/btrfs/ioctl.c
-+++ b/fs/btrfs/ioctl.c
-@@ -4486,6 +4486,25 @@ static long _btrfs_ioctl_set_received_su
- goto out;
- }
-
-+ received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid,
-+ BTRFS_UUID_SIZE);
-+
-+ /*
-+ * Before we attempt to add the new received uuid, check if we have room
-+ * for it in case there's already an item. If the size of the existing
-+ * item plus this root's ID (u64) exceeds the maximum item size, we can
-+ * return here without the need to abort a transaction. If we don't do
-+ * this check, the btrfs_uuid_tree_add() call below would fail with
-+ * -EOVERFLOW and result in a transaction abort. Malicious users could
-+ * exploit this to turn the fs into RO mode.
-+ */
-+ if (received_uuid_changed && !btrfs_is_empty_uuid(sa->uuid)) {
-+ ret = btrfs_uuid_tree_check_overflow(fs_info, sa->uuid,
-+ BTRFS_UUID_KEY_RECEIVED_SUBVOL);
-+ if (ret < 0)
-+ goto out;
-+ }
-+
- /*
- * 1 - root item
- * 2 - uuid items (received uuid + subvol uuid)
-@@ -4501,8 +4520,6 @@ static long _btrfs_ioctl_set_received_su
- sa->rtime.sec = ct.tv_sec;
- sa->rtime.nsec = ct.tv_nsec;
-
-- received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid,
-- BTRFS_UUID_SIZE);
- if (received_uuid_changed &&
- !btrfs_is_empty_uuid(root_item->received_uuid)) {
- ret = btrfs_uuid_tree_remove(trans, root_item->received_uuid,
---- a/fs/btrfs/uuid-tree.c
-+++ b/fs/btrfs/uuid-tree.c
-@@ -226,6 +226,52 @@ out:
- return ret;
- }
-
-+/*
-+ * Check if we can add one root ID to a UUID key.
-+ * If the key does not yet exists, we can, otherwise only if extended item does
-+ * not exceeds the maximum item size permitted by the leaf size.
-+ *
-+ * Returns 0 on success, negative value on error.
-+ */
-+int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info,
-+ u8 *uuid, u8 type)
-+{
-+ struct btrfs_path *path = NULL;
-+ int ret;
-+ u32 item_size;
-+ struct btrfs_key key;
-+
-+ if (WARN_ON_ONCE(!fs_info->uuid_root)) {
-+ ret = -EINVAL;
-+ goto out;
-+ }
-+
-+ path = btrfs_alloc_path();
-+ if (!path) {
-+ ret = -ENOMEM;
-+ goto out;
-+ }
-+
-+ btrfs_uuid_to_key(uuid, type, &key);
-+ ret = btrfs_search_slot(NULL, fs_info->uuid_root, &key, path, 0, 0);
-+ if (ret < 0)
-+ goto out;
-+ if (ret > 0) {
-+ ret = 0;
-+ goto out;
-+ }
-+
-+ item_size = btrfs_item_size(path->nodes[0], path->slots[0]);
-+
-+ if (sizeof(struct btrfs_item) + item_size + sizeof(u64) >
-+ BTRFS_LEAF_DATA_SIZE(fs_info))
-+ ret = -EOVERFLOW;
-+
-+out:
-+ btrfs_free_path(path);
-+ return ret;
-+}
-+
- static int btrfs_uuid_iter_rem(struct btrfs_root *uuid_root, u8 *uuid, u8 type,
- u64 subid)
- {
+++ /dev/null
-From stable+bounces-227367-greg=kroah.com@vger.kernel.org Thu Mar 19 19:38:35 2026
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 19 Mar 2026 14:34:41 -0400
-Subject: btrfs: fix transaction abort when snapshotting received subvolumes
-To: stable@vger.kernel.org
-Cc: Filipe Manana <fdmanana@suse.com>, Boris Burkov <boris@bur.io>, Qu Wenruo <wqu@suse.com>, David Sterba <dsterba@suse.com>, Sasha Levin <sashal@kernel.org>
-Message-ID: <20260319183441.2928953-1-sashal@kernel.org>
-
-From: Filipe Manana <fdmanana@suse.com>
-
-[ Upstream commit e1b18b959025e6b5dbad668f391f65d34b39595a ]
-
-Currently a user can trigger a transaction abort by snapshotting a
-previously received snapshot a bunch of times until we reach a
-BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we
-can store in a leaf). This is very likely not common in practice, but
-if it happens, it turns the filesystem into RO mode. The snapshot, send
-and set_received_subvol and subvol_setflags (used by receive) don't
-require CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user
-could use this to turn a filesystem into RO mode and disrupt a system.
-
-Reproducer script:
-
- $ cat test.sh
- #!/bin/bash
-
- DEV=/dev/sdi
- MNT=/mnt/sdi
-
- # Use smallest node size to make the test faster.
- mkfs.btrfs -f --nodesize 4K $DEV
- mount $DEV $MNT
-
- # Create a subvolume and set it to RO so that it can be used for send.
- btrfs subvolume create $MNT/sv
- touch $MNT/sv/foo
- btrfs property set $MNT/sv ro true
-
- # Send and receive the subvolume into snaps/sv.
- mkdir $MNT/snaps
- btrfs send $MNT/sv | btrfs receive $MNT/snaps
-
- # Now snapshot the received subvolume, which has a received_uuid, a
- # lot of times to trigger the leaf overflow.
- total=500
- for ((i = 1; i <= $total; i++)); do
- echo -ne "\rCreating snapshot $i/$total"
- btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null
- done
- echo
-
- umount $MNT
-
-When running the test:
-
- $ ./test.sh
- (...)
- Create subvolume '/mnt/sdi/sv'
- At subvol /mnt/sdi/sv
- At subvol sv
- Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type
- Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system
- Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system
- Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system
- Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system
-
-And in dmesg/syslog:
-
- $ dmesg
- (...)
- [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252!
- [251067.629212] ------------[ cut here ]------------
- [251067.630033] BTRFS: Transaction aborted (error -75)
- [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235
- [251067.632851] Modules linked in: btrfs dm_zero (...)
- [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full)
- [251067.646165] Tainted: [W]=WARN
- [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
- [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs]
- [251067.649984] Code: f0 48 0f (...)
- [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292
- [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3
- [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750
- [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820
- [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0
- [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5
- [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000
- [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
- [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0
- [251067.661972] Call Trace:
- [251067.662292] <TASK>
- [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs]
- [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs]
- [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs]
- [251067.665238] ? _raw_spin_unlock+0x15/0x30
- [251067.665837] ? record_root_in_trans+0xa2/0xd0 [btrfs]
- [251067.666531] btrfs_mksubvol+0x330/0x580 [btrfs]
- [251067.667145] btrfs_mksnapshot+0x74/0xa0 [btrfs]
- [251067.667827] __btrfs_ioctl_snap_create+0x194/0x1d0 [btrfs]
- [251067.668595] btrfs_ioctl_snap_create_v2+0x107/0x130 [btrfs]
- [251067.669479] btrfs_ioctl+0x1580/0x2690 [btrfs]
- [251067.670093] ? count_memcg_events+0x6d/0x180
- [251067.670849] ? handle_mm_fault+0x1a0/0x2a0
- [251067.671652] __x64_sys_ioctl+0x92/0xe0
- [251067.672406] do_syscall_64+0x50/0xf20
- [251067.673129] entry_SYSCALL_64_after_hwframe+0x76/0x7e
- [251067.674096] RIP: 0033:0x7f2a495648db
- [251067.674812] Code: 00 48 89 (...)
- [251067.678227] RSP: 002b:00007ffc5aa57840 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
- [251067.679691] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f2a495648db
- [251067.681145] RDX: 00007ffc5aa588b0 RSI: 0000000050009417 RDI: 0000000000000004
- [251067.682511] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
- [251067.683842] R10: 000000000000000a R11: 0000000000000246 R12: 00007ffc5aa59910
- [251067.685176] R13: 00007ffc5aa588b0 R14: 0000000000000004 R15: 0000000000000006
- [251067.686524] </TASK>
- [251067.686972] ---[ end trace 0000000000000000 ]---
- [251067.687890] BTRFS: error (device sdi state A) in create_pending_snapshot:1907: errno=-75 unknown
- [251067.689049] BTRFS info (device sdi state EA): forced readonly
- [251067.689054] BTRFS warning (device sdi state EA): Skipping commit of aborted transaction.
- [251067.690119] BTRFS: error (device sdi state EA) in cleanup_transaction:2043: errno=-75 unknown
- [251067.702028] BTRFS info (device sdi state EA): last unmount of filesystem 46dc3975-30a2-4a69-a18f-418b859cccda
-
-Fix this by ignoring -EOVERFLOW errors from btrfs_uuid_tree_add() in the
-snapshot creation code when attempting to add the
-BTRFS_UUID_KEY_RECEIVED_SUBVOL item. This is OK because it's not critical
-and we are still able to delete the snapshot, as snapshot/subvolume
-deletion ignores if a BTRFS_UUID_KEY_RECEIVED_SUBVOL is missing (see
-inode.c:btrfs_delete_subvolume()). As for send/receive, we can still do
-send/receive operations since it always peeks the first root ID in the
-existing BTRFS_UUID_KEY_RECEIVED_SUBVOL (it could peek any since all
-snapshots have the same content), and even if the key is missing, it
-falls back to searching by BTRFS_UUID_KEY_SUBVOL key.
-
-A test case for fstests will be sent soon.
-
-Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree")
-CC: stable@vger.kernel.org # 3.12+
-Reviewed-by: Boris Burkov <boris@bur.io>
-Reviewed-by: Qu Wenruo <wqu@suse.com>
-Signed-off-by: Filipe Manana <fdmanana@suse.com>
-Reviewed-by: David Sterba <dsterba@suse.com>
-Signed-off-by: David Sterba <dsterba@suse.com>
-[ adapted error check condition to omit unlikely() wrapper ]
-Signed-off-by: Sasha Levin <sashal@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/btrfs/transaction.c | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
---- a/fs/btrfs/transaction.c
-+++ b/fs/btrfs/transaction.c
-@@ -1748,6 +1748,22 @@ static noinline int create_pending_snaps
- ret = btrfs_uuid_tree_add(trans, new_root_item->received_uuid,
- BTRFS_UUID_KEY_RECEIVED_SUBVOL,
- objectid);
-+ /*
-+ * We are creating of lot of snapshots of the same root that was
-+ * received (has a received UUID) and reached a leaf's limit for
-+ * an item. We can safely ignore this and avoid a transaction
-+ * abort. A deletion of this snapshot will still work since we
-+ * ignore if an item with a BTRFS_UUID_KEY_RECEIVED_SUBVOL key
-+ * is missing (see btrfs_delete_subvolume()). Send/receive will
-+ * work too since it peeks the first root id from the existing
-+ * item (it could peek any), and in case it's missing it
-+ * falls back to search by BTRFS_UUID_KEY_SUBVOL keys.
-+ * Creation of a snapshot does not require CAP_SYS_ADMIN, so
-+ * we don't want users triggering transaction aborts, either
-+ * intentionally or not.
-+ */
-+ if (ret == -EOVERFLOW)
-+ ret = 0;
- if (ret && ret != -EEXIST) {
- btrfs_abort_transaction(trans, ret);
- goto fail;
+++ /dev/null
-From bfe3c6804c83ddaade6f882277e363dadd75ac0c Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 6 Apr 2026 08:55:23 -0400
-Subject: Revert "btrfs: fix transaction abort on set received ioctl due to
- item overflow"
-
-This reverts commit 20b9a8d6f7ff4dc7dff3fdcba51730caa536a2de.
-
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/btrfs/ctree.h | 2 --
- fs/btrfs/ioctl.c | 21 ++------------------
- fs/btrfs/uuid-tree.c | 46 --------------------------------------------
- 3 files changed, 2 insertions(+), 67 deletions(-)
-
-diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h
-index 15affee7c6d11..a9926fb10c491 100644
---- a/fs/btrfs/ctree.h
-+++ b/fs/btrfs/ctree.h
-@@ -2869,8 +2869,6 @@ int btrfs_uuid_tree_add(struct btrfs_trans_handle *trans, u8 *uuid, u8 type,
- u64 subid);
- int btrfs_uuid_tree_remove(struct btrfs_trans_handle *trans, u8 *uuid, u8 type,
- u64 subid);
--int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info,
-- u8 *uuid, u8 type);
- int btrfs_uuid_tree_iterate(struct btrfs_fs_info *fs_info);
-
- /* dir-item.c */
-diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
-index 3712396c3f8a0..574a00db258a0 100644
---- a/fs/btrfs/ioctl.c
-+++ b/fs/btrfs/ioctl.c
-@@ -4486,25 +4486,6 @@ static long _btrfs_ioctl_set_received_subvol(struct file *file,
- goto out;
- }
-
-- received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid,
-- BTRFS_UUID_SIZE);
--
-- /*
-- * Before we attempt to add the new received uuid, check if we have room
-- * for it in case there's already an item. If the size of the existing
-- * item plus this root's ID (u64) exceeds the maximum item size, we can
-- * return here without the need to abort a transaction. If we don't do
-- * this check, the btrfs_uuid_tree_add() call below would fail with
-- * -EOVERFLOW and result in a transaction abort. Malicious users could
-- * exploit this to turn the fs into RO mode.
-- */
-- if (received_uuid_changed && !btrfs_is_empty_uuid(sa->uuid)) {
-- ret = btrfs_uuid_tree_check_overflow(fs_info, sa->uuid,
-- BTRFS_UUID_KEY_RECEIVED_SUBVOL);
-- if (ret < 0)
-- goto out;
-- }
--
- /*
- * 1 - root item
- * 2 - uuid items (received uuid + subvol uuid)
-@@ -4520,6 +4501,8 @@ static long _btrfs_ioctl_set_received_subvol(struct file *file,
- sa->rtime.sec = ct.tv_sec;
- sa->rtime.nsec = ct.tv_nsec;
-
-+ received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid,
-+ BTRFS_UUID_SIZE);
- if (received_uuid_changed &&
- !btrfs_is_empty_uuid(root_item->received_uuid)) {
- ret = btrfs_uuid_tree_remove(trans, root_item->received_uuid,
-diff --git a/fs/btrfs/uuid-tree.c b/fs/btrfs/uuid-tree.c
-index aee89c7293f65..28525ad7ff8cb 100644
---- a/fs/btrfs/uuid-tree.c
-+++ b/fs/btrfs/uuid-tree.c
-@@ -226,52 +226,6 @@ int btrfs_uuid_tree_remove(struct btrfs_trans_handle *trans, u8 *uuid, u8 type,
- return ret;
- }
-
--/*
-- * Check if we can add one root ID to a UUID key.
-- * If the key does not yet exists, we can, otherwise only if extended item does
-- * not exceeds the maximum item size permitted by the leaf size.
-- *
-- * Returns 0 on success, negative value on error.
-- */
--int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info,
-- u8 *uuid, u8 type)
--{
-- struct btrfs_path *path = NULL;
-- int ret;
-- u32 item_size;
-- struct btrfs_key key;
--
-- if (WARN_ON_ONCE(!fs_info->uuid_root)) {
-- ret = -EINVAL;
-- goto out;
-- }
--
-- path = btrfs_alloc_path();
-- if (!path) {
-- ret = -ENOMEM;
-- goto out;
-- }
--
-- btrfs_uuid_to_key(uuid, type, &key);
-- ret = btrfs_search_slot(NULL, fs_info->uuid_root, &key, path, 0, 0);
-- if (ret < 0)
-- goto out;
-- if (ret > 0) {
-- ret = 0;
-- goto out;
-- }
--
-- item_size = btrfs_item_size(path->nodes[0], path->slots[0]);
--
-- if (sizeof(struct btrfs_item) + item_size + sizeof(u64) >
-- BTRFS_LEAF_DATA_SIZE(fs_info))
-- ret = -EOVERFLOW;
--
--out:
-- btrfs_free_path(path);
-- return ret;
--}
--
- static int btrfs_uuid_iter_rem(struct btrfs_root *uuid_root, u8 *uuid, u8 type,
- u64 subid)
- {
---
-2.53.0
-
tracing-fix-syscall-events-activation-by-ensuring-refcount-hits-zero.patch
pmdomain-bcm-bcm2835-power-fix-broken-reset-status-read.patch
iio-light-bh1780-fix-pm-runtime-leak-on-error-path.patch
-btrfs-fix-transaction-abort-on-set-received-ioctl-due-to-item-overflow.patch
-btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch
smb-client-fix-atomic-open-with-o_direct-o_sync.patch
smb-client-fix-iface-port-assignment-in-parse_server_interfaces.patch
s390-zcrypt-enable-autosel_dom-for-cca-serialnr-sysfs-attribute.patch
net-sched-cls_flow-fix-null-pointer-dereference-on-s.patch
ipv6-avoid-overflows-in-ip6_datagram_send_ctl.patch
efi-mokvar-table-avoid-repeated-map-unmap-of-the-sam.patch
-revert-btrfs-fix-transaction-abort-on-set-received-i.patch
-btrfs-fix-transaction-abort-on-set-received-ioctl-du.patch
revert-drm-vmwgfx-add-seqno-waiter-for-sync_files.patch
drm-vmwgfx-add-seqno-waiter-for-sync_files.patch-18451
revert-scsi-core-wake-up-the-error-handler-when-fina.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
