Patch "btrfs: do not allow non subvolume root targets for snapshot" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 24 Dec 2023 09:11:36 -0500

This is a note to let you know that I've just added the patch titled

    btrfs: do not allow non subvolume root targets for snapshot

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     btrfs-do-not-allow-non-subvolume-root-targets-for-sn.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 6bb24db036a3b5de32153d9eb366375428836c01
Author: Josef Bacik <josef@xxxxxxxxxxxxxx>
Date:   Fri Dec 15 10:01:44 2023 -0500

    btrfs: do not allow non subvolume root targets for snapshot
    
    [ Upstream commit a8892fd71933126ebae3d60aec5918d4dceaae76 ]
    
    Our btrfs subvolume snapshot <source> <destination> utility enforces
    that <source> is the root of the subvolume, however this isn't enforced
    in the kernel.  Update the kernel to also enforce this limitation to
    avoid problems with other users of this ioctl that don't have the
    appropriate checks in place.
    
    Reported-by: Martin Michaelis <code@xxxxxxx>
    CC: stable@xxxxxxxxxxxxxxx # 4.14+
    Reviewed-by: Neal Gompa <neal@xxxxxxxxx>
    Signed-off-by: Josef Bacik <josef@xxxxxxxxxxxxxx>
    Reviewed-by: David Sterba <dsterba@xxxxxxxx>
    Signed-off-by: David Sterba <dsterba@xxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 6da8587e2ae37..f06824bea4686 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -1868,6 +1868,15 @@ static noinline int __btrfs_ioctl_snap_create(struct file *file,
 			 * are limited to own subvolumes only
 			 */
 			ret = -EPERM;
+		} else if (btrfs_ino(BTRFS_I(src_inode)) != BTRFS_FIRST_FREE_OBJECTID) {
+			/*
+			 * Snapshots must be made with the src_inode referring
+			 * to the subvolume inode, otherwise the permission
+			 * checking above is useless because we may have
+			 * permission on a lower directory but not the subvol
+			 * itself.
+			 */
+			ret = -EINVAL;
 		} else {
 			ret = btrfs_mksnapshot(&file->f_path, name, namelen,
 					     BTRFS_I(src_inode)->root,







