CVE-2026-46160
published 2026-05-28CVE-2026-46160: In the Linux kernel, the following vulnerability has been resolved: btrfs: fix missing last_unlink_trans update when removing a directory When removing a…
high7
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix missing last_unlink_trans update when removing a directory
When removing a directory we are not updating its last_unlink_trans field,
which can result in incorrect fsync behaviour in case some one fsyncs the
directory after it was removed because it's holding a file descriptor on
it.
Example scenario:
mkdir /mnt/dir1
mkdir /mnt/dir1/dir2
mkdir /mnt/dir3
sync -f /mnt
# Do some change to the directory and fsync it.
chmod 700 /mnt/dir1
xfs_io -c fsync /mnt/dir1
# Move dir2 out of dir1 so that dir1 becomes empty.
mv /mnt/dir1/dir2 /mnt/dir3/
open fd on /mnt/dir1
call rmdir(2) on path "/mnt/dir1"
fsync fd
When attempting to mount the filesystem, the log replay will fail with
an -EIO error and dmesg/syslog has the following:
[445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650
[445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm
[445771.627912] BTRFS info (device dm-0): start tree-log replay
[445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5
[445771.629453] memcg:ffff89f400351b00
[445771.629892] aops:btree_aops [btrfs] ino:1
[445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)
[445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8
[445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00
[445771.635029] page dumped because: eb page dump
[445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir
[445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5
[445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087
[445771.638094] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160
[445771.638097] inod
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux | — | — |
| linux | linux | >= 12fcfd22fe5bf4fe74710232098bc101af497995 < cc3c0a0f965754ce230d93ba44ee5b34fbe6138a | cc3c0a0f965754ce230d93ba44ee5b34fbe6138a |
| linux | linux | >= 12fcfd22fe5bf4fe74710232098bc101af497995 < aa9c3ecaf7337df3a689318584f879b5339ede0f | aa9c3ecaf7337df3a689318584f879b5339ede0f |
| linux | linux | >= 12fcfd22fe5bf4fe74710232098bc101af497995 < fb388eb58c1ba047ccabc33901839acfecadcf49 | fb388eb58c1ba047ccabc33901839acfecadcf49 |
| linux | linux | >= 12fcfd22fe5bf4fe74710232098bc101af497995 < 36fcc2c7517f8a86379154c9793f867592aa8b7e | 36fcc2c7517f8a86379154c9793f867592aa8b7e |
| linux | linux | >= 12fcfd22fe5bf4fe74710232098bc101af497995 < 999757231c49376cd1a37308d2c8c4c9932571e1 | 999757231c49376cd1a37308d2c8c4c9932571e1 |
| linux | linux_kernel | — | — |