CVE-2026-31519 (GCVE-0-2026-31519)
Vulnerability from cvelistv5
Published
2026-04-22 13:54
Modified
2026-04-23 15:18
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create We have recently observed a number of subvolumes with broken dentries. ls-ing the parent dir looks like: drwxrwxrwt 1 root root 16 Jan 23 16:49 . drwxr-xr-x 1 root root 24 Jan 23 16:48 .. d????????? ? ? ? ? ? broken_subvol and similarly stat-ing the file fails. In this state, deleting the subvol fails with ENOENT, but attempting to create a new file or subvol over it errors out with EEXIST and even aborts the fs. Which leaves us a bit stuck. dmesg contains a single notable error message reading: "could not do orphan cleanup -2" 2 is ENOENT and the error comes from the failure handling path of btrfs_orphan_cleanup(), with the stack leading back up to btrfs_lookup(). btrfs_lookup btrfs_lookup_dentry btrfs_orphan_cleanup // prints that message and returns -ENOENT After some detailed inspection of the internal state, it became clear that: - there are no orphan items for the subvol - the subvol is otherwise healthy looking, it is not half-deleted or anything, there is no drop progress, etc. - the subvol was created a while ago and does the meaningful first btrfs_orphan_cleanup() call that sets BTRFS_ROOT_ORPHAN_CLEANUP much later. - after btrfs_orphan_cleanup() fails, btrfs_lookup_dentry() returns -ENOENT, which results in a negative dentry for the subvolume via d_splice_alias(NULL, dentry), leading to the observed behavior. The bug can be mitigated by dropping the dentry cache, at which point we can successfully delete the subvolume if we want. i.e., btrfs_lookup() btrfs_lookup_dentry() if (!sb_rdonly(inode->vfs_inode)->vfs_inode) btrfs_orphan_cleanup(sub_root) test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP) btrfs_search_slot() // finds orphan item for inode N ... prints "could not do orphan cleanup -2" if (inode == ERR_PTR(-ENOENT)) inode = NULL; return d_splice_alias(NULL, dentry) // NEGATIVE DENTRY for valid subvolume btrfs_orphan_cleanup() does test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP) on the root when it runs, so it cannot run more than once on a given root, so something else must run concurrently. However, the obvious routes to deleting an orphan when nlinks goes to 0 should not be able to run without first doing a lookup into the subvolume, which should run btrfs_orphan_cleanup() and set the bit. The final important observation is that create_subvol() calls d_instantiate_new() but does not set BTRFS_ROOT_ORPHAN_CLEANUP, so if the dentry cache gets dropped, the next lookup into the subvolume will make a real call into btrfs_orphan_cleanup() for the first time. This opens up the possibility of concurrently deleting the inode/orphan items but most typical evict() paths will be holding a reference on the parent dentry (child dentry holds parent->d_lockref.count via dget in d_alloc(), released in __dentry_kill()) and prevent the parent from being removed from the dentry cache. The one exception is delayed iputs. Ordered extent creation calls igrab() on the inode. If the file is unlinked and closed while those refs are held, iput() in __dentry_kill() decrements i_count but does not trigger eviction (i_count > 0). The child dentry is freed and the subvol dentry's d_lockref.count drops to 0, making it evictable while the inode is still alive. Since there are two races (the race between writeback and unlink and the race between lookup and delayed iputs), and there are too many moving parts, the following three diagrams show the complete picture. (Only the second and third are races) Phase 1: Create Subvol in dentry cache without BTRFS_ROOT_ORPHAN_CLEANUP set btrfs_mksubvol() lookup_one_len() __lookup_slow() d_alloc_parallel() __d_alloc() // d_lockref.count = 1 create_subvol(dentry) // doesn't touch the bit.. d_instantiate_new(dentry, inode) // dentry in cache with d_lockref.c ---truncated---
References
Impacted products
Vendor Product Version
Linux Linux Version: c71bf099abddf3e0fdc27f251ba76fca1461d49a
Version: c71bf099abddf3e0fdc27f251ba76fca1461d49a
Version: c71bf099abddf3e0fdc27f251ba76fca1461d49a
Version: c71bf099abddf3e0fdc27f251ba76fca1461d49a
Version: c71bf099abddf3e0fdc27f251ba76fca1461d49a
Version: c71bf099abddf3e0fdc27f251ba76fca1461d49a
Version: c4ba0bd9db5e8fd2664be0fd4ec01335fe3268eb
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/ioctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d43da8de0ed376abafbad8a245a1835e8f66cb0f",
              "status": "affected",
              "version": "c71bf099abddf3e0fdc27f251ba76fca1461d49a",
              "versionType": "git"
            },
            {
              "lessThan": "c57276ced3c3207f42182dfa2f0d8e860357e111",
              "status": "affected",
              "version": "c71bf099abddf3e0fdc27f251ba76fca1461d49a",
              "versionType": "git"
            },
            {
              "lessThan": "a41a9b8d19a98b45591528c6e54d31cc66271d1e",
              "status": "affected",
              "version": "c71bf099abddf3e0fdc27f251ba76fca1461d49a",
              "versionType": "git"
            },
            {
              "lessThan": "2ec578e6452138ab76f6c9a9c18711fcd197649f",
              "status": "affected",
              "version": "c71bf099abddf3e0fdc27f251ba76fca1461d49a",
              "versionType": "git"
            },
            {
              "lessThan": "696683f214495db3cdacab9a713efaaced8660f8",
              "status": "affected",
              "version": "c71bf099abddf3e0fdc27f251ba76fca1461d49a",
              "versionType": "git"
            },
            {
              "lessThan": "5131fa077f9bb386a1b901bf5b247041f0ec8f80",
              "status": "affected",
              "version": "c71bf099abddf3e0fdc27f251ba76fca1461d49a",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "c4ba0bd9db5e8fd2664be0fd4ec01335fe3268eb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/ioctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.33"
            },
            {
              "lessThan": "2.6.33",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.168",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.131",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.80",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.21",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.11",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.6.32.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create\n\nWe have recently observed a number of subvolumes with broken dentries.\nls-ing the parent dir looks like:\n\ndrwxrwxrwt 1 root root 16 Jan 23 16:49 .\ndrwxr-xr-x 1 root root 24 Jan 23 16:48 ..\nd????????? ? ?    ?     ?            ? broken_subvol\n\nand similarly stat-ing the file fails.\n\nIn this state, deleting the subvol fails with ENOENT, but attempting to\ncreate a new file or subvol over it errors out with EEXIST and even\naborts the fs. Which leaves us a bit stuck.\n\ndmesg contains a single notable error message reading:\n\"could not do orphan cleanup -2\"\n\n2 is ENOENT and the error comes from the failure handling path of\nbtrfs_orphan_cleanup(), with the stack leading back up to\nbtrfs_lookup().\n\nbtrfs_lookup\nbtrfs_lookup_dentry\nbtrfs_orphan_cleanup // prints that message and returns -ENOENT\n\nAfter some detailed inspection of the internal state, it became clear\nthat:\n- there are no orphan items for the subvol\n- the subvol is otherwise healthy looking, it is not half-deleted or\n  anything, there is no drop progress, etc.\n- the subvol was created a while ago and does the meaningful first\n  btrfs_orphan_cleanup() call that sets BTRFS_ROOT_ORPHAN_CLEANUP much\n  later.\n- after btrfs_orphan_cleanup() fails, btrfs_lookup_dentry() returns -ENOENT,\n  which results in a negative dentry for the subvolume via\n  d_splice_alias(NULL, dentry), leading to the observed behavior. The\n  bug can be mitigated by dropping the dentry cache, at which point we\n  can successfully delete the subvolume if we want.\n\ni.e.,\nbtrfs_lookup()\n  btrfs_lookup_dentry()\n    if (!sb_rdonly(inode-\u003evfs_inode)-\u003evfs_inode)\n    btrfs_orphan_cleanup(sub_root)\n      test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP)\n      btrfs_search_slot() // finds orphan item for inode N\n      ...\n      prints \"could not do orphan cleanup -2\"\n  if (inode == ERR_PTR(-ENOENT))\n    inode = NULL;\n  return d_splice_alias(NULL, dentry) // NEGATIVE DENTRY for valid subvolume\n\nbtrfs_orphan_cleanup() does test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP)\non the root when it runs, so it cannot run more than once on a given\nroot, so something else must run concurrently. However, the obvious\nroutes to deleting an orphan when nlinks goes to 0 should not be able to\nrun without first doing a lookup into the subvolume, which should run\nbtrfs_orphan_cleanup() and set the bit.\n\nThe final important observation is that create_subvol() calls\nd_instantiate_new() but does not set BTRFS_ROOT_ORPHAN_CLEANUP, so if\nthe dentry cache gets dropped, the next lookup into the subvolume will\nmake a real call into btrfs_orphan_cleanup() for the first time. This\nopens up the possibility of concurrently deleting the inode/orphan items\nbut most typical evict() paths will be holding a reference on the parent\ndentry (child dentry holds parent-\u003ed_lockref.count via dget in\nd_alloc(), released in __dentry_kill()) and prevent the parent from\nbeing removed from the dentry cache.\n\nThe one exception is delayed iputs. Ordered extent creation calls\nigrab() on the inode. If the file is unlinked and closed while those\nrefs are held, iput() in __dentry_kill() decrements i_count but does\nnot trigger eviction (i_count \u003e 0). The child dentry is freed and the\nsubvol dentry\u0027s d_lockref.count drops to 0, making it evictable while\nthe inode is still alive.\n\nSince there are two races (the race between writeback and unlink and\nthe race between lookup and delayed iputs), and there are too many moving\nparts, the following three diagrams show the complete picture.\n(Only the second and third are races)\n\nPhase 1:\nCreate Subvol in dentry cache without BTRFS_ROOT_ORPHAN_CLEANUP set\n\nbtrfs_mksubvol()\n  lookup_one_len()\n    __lookup_slow()\n      d_alloc_parallel()\n        __d_alloc() // d_lockref.count = 1\n  create_subvol(dentry)\n    // doesn\u0027t touch the bit..\n    d_instantiate_new(dentry, inode) // dentry in cache with d_lockref.c\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-23T15:18:36.202Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d43da8de0ed376abafbad8a245a1835e8f66cb0f"
        },
        {
          "url": "https://git.kernel.org/stable/c/c57276ced3c3207f42182dfa2f0d8e860357e111"
        },
        {
          "url": "https://git.kernel.org/stable/c/a41a9b8d19a98b45591528c6e54d31cc66271d1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ec578e6452138ab76f6c9a9c18711fcd197649f"
        },
        {
          "url": "https://git.kernel.org/stable/c/696683f214495db3cdacab9a713efaaced8660f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/5131fa077f9bb386a1b901bf5b247041f0ec8f80"
        }
      ],
      "title": "btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31519",
    "datePublished": "2026-04-22T13:54:34.860Z",
    "dateReserved": "2026-03-09T15:48:24.108Z",
    "dateUpdated": "2026-04-23T15:18:36.202Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.