Patch "btrfs: do not allow non subvolume root targets for snapshot" has been added to the 6.1-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 18 Dec 2023 08:10:34 +0100

This is a note to let you know that I've just added the patch titled

    btrfs: do not allow non subvolume root targets for snapshot

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     btrfs-do-not-allow-non-subvolume-root-targets-for-snapshot.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From a8892fd71933126ebae3d60aec5918d4dceaae76 Mon Sep 17 00:00:00 2001
From: Josef Bacik <josef@xxxxxxxxxxxxxx>
Date: Fri, 15 Dec 2023 10:01:44 -0500
Subject: btrfs: do not allow non subvolume root targets for snapshot

From: Josef Bacik <josef@xxxxxxxxxxxxxx>

commit a8892fd71933126ebae3d60aec5918d4dceaae76 upstream.

Our btrfs subvolume snapshot <source> <destination> utility enforces
that <source> is the root of the subvolume, however this isn't enforced
in the kernel.  Update the kernel to also enforce this limitation to
avoid problems with other users of this ioctl that don't have the
appropriate checks in place.

Reported-by: Martin Michaelis <code@xxxxxxx>
CC: stable@xxxxxxxxxxxxxxx # 4.14+
Reviewed-by: Neal Gompa <neal@xxxxxxxxx>
Signed-off-by: Josef Bacik <josef@xxxxxxxxxxxxxx>
Reviewed-by: David Sterba <dsterba@xxxxxxxx>
Signed-off-by: David Sterba <dsterba@xxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 fs/btrfs/ioctl.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -2182,6 +2182,15 @@ static noinline int __btrfs_ioctl_snap_c
 			 * are limited to own subvolumes only
 			 */
 			ret = -EPERM;
+		} else if (btrfs_ino(BTRFS_I(src_inode)) != BTRFS_FIRST_FREE_OBJECTID) {
+			/*
+			 * Snapshots must be made with the src_inode referring
+			 * to the subvolume inode, otherwise the permission
+			 * checking above is useless because we may have
+			 * permission on a lower directory but not the subvol
+			 * itself.
+			 */
+			ret = -EINVAL;
 		} else {
 			ret = btrfs_mksnapshot(&file->f_path, mnt_userns,
 					       name, namelen,


Patches currently in stable-queue which might be from josef@xxxxxxxxxxxxxx are

queue-6.1/nbd-fold-nbd-config-initialization-into-nbd_alloc_co.patch
queue-6.1/btrfs-do-not-allow-non-subvolume-root-targets-for-snapshot.patch







