CVE-2026-45974
Description
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found
If btrfs_search_slot_for_read() returns 1, it means we did not find any key greater than or equals to the key we asked for, meaning we have reached the end of the tree and therefore the path is not valid. If this happens we need to break out of the loop and stop, instead of continuing and accessing an invalid path.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing check for a leaf key not found in btrfs_quota_enable() can cause invalid memory access and system crash.
Vulnerability
In the Linux kernel's Btrfs filesystem, the function btrfs_quota_enable() incorrectly handles the return value of btrfs_search_slot_for_read() [1]. When that function returns 1, it indicates that no key greater than or equal to the requested key was found and the leaf pointer in the path is no longer valid. The code in affected versions does not break out of the loop in this case and proceeds to access the invalid leaf, leading to a use-after-free or memory corruption. This bug was introduced in an earlier commit and affects all versions up to the fix in kernel commit b2bd557b75b760e4b9d209112bda19314bd64558.
Exploitation
An attacker would need local access to the system with sufficient privileges to trigger the quota enable operation (e.g., via btrfs quota enable on a Btrfs filesystem). No special hardware or race condition is required; the vulnerability occurs during normal filesystem quota setup when the tree walk reaches the end without finding the expected key.
Impact
Successful exploitation results in an invalid memory access (read from an invalid path), which can cause a kernel panic (denial of service). In theory, an attacker might leverage the memory corruption to elevate privileges, but the primary consequence is system instability or crash.
Mitigation
The fix is included in Linux kernel commit b2bd557b75b760e4b9d209112bda19314bd64558 and was applied to the stable branches [1]. Users should update to a kernel version containing this commit (e.g., 6.1.y-stable, 6.6.y-stable, etc., depending on the base series). No workaround is available if the kernel cannot be updated.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
16023545e272f3btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found
1 file changed · +7 −5
fs/btrfs/qgroup.c+7 −5 modifieddiff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index 647feb72c8b0a5..a252f6cca00278 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -1090,11 +1090,14 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info) } if (ret > 0) { /* - * Shouldn't happen, but in case it does we - * don't need to do the btrfs_next_item, just - * continue. + * Shouldn't happen because the key should still + * be there (return 0), but in case it does it + * means we have reached the end of the tree - + * there are no more leaves with items that have + * a key greater than or equals to @found_key, + * so just stop the search loop. */ - continue; + break; } } ret = btrfs_next_item(tree_root, path); -- cgit 1.3-korg
b5b8ade9da45btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found
1 file changed · +7 −5
fs/btrfs/qgroup.c+7 −5 modifieddiff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index b175d0a4b3826b..e80d73ad081031 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -1123,11 +1123,14 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info) } if (ret > 0) { /* - * Shouldn't happen, but in case it does we - * don't need to do the btrfs_next_item, just - * continue. + * Shouldn't happen because the key should still + * be there (return 0), but in case it does it + * means we have reached the end of the tree - + * there are no more leaves with items that have + * a key greater than or equals to @found_key, + * so just stop the search loop. */ - continue; + break; } } ret = btrfs_next_item(tree_root, path); -- cgit 1.3-korg
fd4913a53e3bbtrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found
1 file changed · +7 −5
fs/btrfs/qgroup.c+7 −5 modifieddiff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index 4593ca523490fd..208c6813dc6813 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -1089,11 +1089,14 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info) } if (ret > 0) { /* - * Shouldn't happen, but in case it does we - * don't need to do the btrfs_next_item, just - * continue. + * Shouldn't happen because the key should still + * be there (return 0), but in case it does it + * means we have reached the end of the tree - + * there are no more leaves with items that have + * a key greater than or equals to @found_key, + * so just stop the search loop. */ - continue; + break; } } ret = btrfs_next_item(tree_root, path); -- cgit 1.3-korg
1ee1d006c9febtrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found
1 file changed · +7 −5
fs/btrfs/qgroup.c+7 −5 modifieddiff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index d27b9e0fa229ad..622febdb61e23e 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -1129,11 +1129,14 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info) } if (ret > 0) { /* - * Shouldn't happen, but in case it does we - * don't need to do the btrfs_next_item, just - * continue. + * Shouldn't happen because the key should still + * be there (return 0), but in case it does it + * means we have reached the end of the tree - + * there are no more leaves with items that have + * a key greater than or equals to @found_key, + * so just stop the search loop. */ - continue; + break; } } ret = btrfs_next_item(tree_root, path); -- cgit 1.3-korg
0761447f6f51btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found
1 file changed · +7 −5
fs/btrfs/qgroup.c+7 −5 modifieddiff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index 4df0ba100f9de6..71ccba22752cb1 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -1199,11 +1199,14 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info, } if (ret > 0) { /* - * Shouldn't happen, but in case it does we - * don't need to do the btrfs_next_item, just - * continue. + * Shouldn't happen because the key should still + * be there (return 0), but in case it does it + * means we have reached the end of the tree - + * there are no more leaves with items that have + * a key greater than or equals to @found_key, + * so just stop the search loop. */ - continue; + break; } } ret = btrfs_next_item(tree_root, path); -- cgit 1.3-korg
d7cf2314dd5ebtrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found
1 file changed · +7 −5
fs/btrfs/qgroup.c+7 −5 modifieddiff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index 7a1dd250e92c09..302bb3ecf39a32 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -1157,11 +1157,14 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info, } if (ret > 0) { /* - * Shouldn't happen, but in case it does we - * don't need to do the btrfs_next_item, just - * continue. + * Shouldn't happen because the key should still + * be there (return 0), but in case it does it + * means we have reached the end of the tree - + * there are no more leaves with items that have + * a key greater than or equals to @found_key, + * so just stop the search loop. */ - continue; + break; } } ret = btrfs_next_item(tree_root, path); -- cgit 1.3-korg
b2bd557b75b7btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found
1 file changed · +7 −5
fs/btrfs/qgroup.c+7 −5 modifieddiff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index c634e011405148..bed9d1c11c67a0 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -1137,11 +1137,14 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info, } if (ret > 0) { /* - * Shouldn't happen, but in case it does we - * don't need to do the btrfs_next_item, just - * continue. + * Shouldn't happen because the key should still + * be there (return 0), but in case it does it + * means we have reached the end of the tree - + * there are no more leaves with items that have + * a key greater than or equals to @found_key, + * so just stop the search loop. */ - continue; + break; } } ret = btrfs_next_item(tree_root, path); -- cgit 1.3-korg
ecb7c2484cfcbtrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found
1 file changed · +7 −5
fs/btrfs/qgroup.c+7 −5 modifieddiff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index f53c313ab6e460..38adadb936dc24 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -1169,11 +1169,14 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info, } if (ret > 0) { /* - * Shouldn't happen, but in case it does we - * don't need to do the btrfs_next_item, just - * continue. + * Shouldn't happen because the key should still + * be there (return 0), but in case it does it + * means we have reached the end of the tree - + * there are no more leaves with items that have + * a key greater than or equals to @found_key, + * so just stop the search loop. */ - continue; + break; } } ret = btrfs_next_item(tree_root, path); -- cgit 1.3-korg
b2bd557b75b7btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found
1 file changed · +7 −5
fs/btrfs/qgroup.c+7 −5 modifieddiff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index c634e011405148..bed9d1c11c67a0 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -1137,11 +1137,14 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info, } if (ret > 0) { /* - * Shouldn't happen, but in case it does we - * don't need to do the btrfs_next_item, just - * continue. + * Shouldn't happen because the key should still + * be there (return 0), but in case it does it + * means we have reached the end of the tree - + * there are no more leaves with items that have + * a key greater than or equals to @found_key, + * so just stop the search loop. */ - continue; + break; } } ret = btrfs_next_item(tree_root, path); -- cgit 1.3-korg
b5b8ade9da45btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found
1 file changed · +7 −5
fs/btrfs/qgroup.c+7 −5 modifieddiff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index b175d0a4b3826b..e80d73ad081031 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -1123,11 +1123,14 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info) } if (ret > 0) { /* - * Shouldn't happen, but in case it does we - * don't need to do the btrfs_next_item, just - * continue. + * Shouldn't happen because the key should still + * be there (return 0), but in case it does it + * means we have reached the end of the tree - + * there are no more leaves with items that have + * a key greater than or equals to @found_key, + * so just stop the search loop. */ - continue; + break; } } ret = btrfs_next_item(tree_root, path); -- cgit 1.3-korg
fd4913a53e3bbtrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found
1 file changed · +7 −5
fs/btrfs/qgroup.c+7 −5 modifieddiff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index 4593ca523490fd..208c6813dc6813 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -1089,11 +1089,14 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info) } if (ret > 0) { /* - * Shouldn't happen, but in case it does we - * don't need to do the btrfs_next_item, just - * continue. + * Shouldn't happen because the key should still + * be there (return 0), but in case it does it + * means we have reached the end of the tree - + * there are no more leaves with items that have + * a key greater than or equals to @found_key, + * so just stop the search loop. */ - continue; + break; } } ret = btrfs_next_item(tree_root, path); -- cgit 1.3-korg
023545e272f3btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found
1 file changed · +7 −5
fs/btrfs/qgroup.c+7 −5 modifieddiff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index 647feb72c8b0a5..a252f6cca00278 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -1090,11 +1090,14 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info) } if (ret > 0) { /* - * Shouldn't happen, but in case it does we - * don't need to do the btrfs_next_item, just - * continue. + * Shouldn't happen because the key should still + * be there (return 0), but in case it does it + * means we have reached the end of the tree - + * there are no more leaves with items that have + * a key greater than or equals to @found_key, + * so just stop the search loop. */ - continue; + break; } } ret = btrfs_next_item(tree_root, path); -- cgit 1.3-korg
0761447f6f51btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found
1 file changed · +7 −5
fs/btrfs/qgroup.c+7 −5 modifieddiff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index 4df0ba100f9de6..71ccba22752cb1 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -1199,11 +1199,14 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info, } if (ret > 0) { /* - * Shouldn't happen, but in case it does we - * don't need to do the btrfs_next_item, just - * continue. + * Shouldn't happen because the key should still + * be there (return 0), but in case it does it + * means we have reached the end of the tree - + * there are no more leaves with items that have + * a key greater than or equals to @found_key, + * so just stop the search loop. */ - continue; + break; } } ret = btrfs_next_item(tree_root, path); -- cgit 1.3-korg
1ee1d006c9febtrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found
1 file changed · +7 −5
fs/btrfs/qgroup.c+7 −5 modifieddiff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index d27b9e0fa229ad..622febdb61e23e 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -1129,11 +1129,14 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info) } if (ret > 0) { /* - * Shouldn't happen, but in case it does we - * don't need to do the btrfs_next_item, just - * continue. + * Shouldn't happen because the key should still + * be there (return 0), but in case it does it + * means we have reached the end of the tree - + * there are no more leaves with items that have + * a key greater than or equals to @found_key, + * so just stop the search loop. */ - continue; + break; } } ret = btrfs_next_item(tree_root, path); -- cgit 1.3-korg
ecb7c2484cfcbtrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found
1 file changed · +7 −5
fs/btrfs/qgroup.c+7 −5 modifieddiff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index f53c313ab6e460..38adadb936dc24 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -1169,11 +1169,14 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info, } if (ret > 0) { /* - * Shouldn't happen, but in case it does we - * don't need to do the btrfs_next_item, just - * continue. + * Shouldn't happen because the key should still + * be there (return 0), but in case it does it + * means we have reached the end of the tree - + * there are no more leaves with items that have + * a key greater than or equals to @found_key, + * so just stop the search loop. */ - continue; + break; } } ret = btrfs_next_item(tree_root, path); -- cgit 1.3-korg
d7cf2314dd5ebtrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found
1 file changed · +7 −5
fs/btrfs/qgroup.c+7 −5 modifieddiff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c index 7a1dd250e92c09..302bb3ecf39a32 100644 --- a/fs/btrfs/qgroup.c +++ b/fs/btrfs/qgroup.c @@ -1157,11 +1157,14 @@ int btrfs_quota_enable(struct btrfs_fs_info *fs_info, } if (ret > 0) { /* - * Shouldn't happen, but in case it does we - * don't need to do the btrfs_next_item, just - * continue. + * Shouldn't happen because the key should still + * be there (return 0), but in case it does it + * means we have reached the end of the tree - + * there are no more leaves with items that have + * a key greater than or equals to @found_key, + * so just stop the search loop. */ - continue; + break; } } ret = btrfs_next_item(tree_root, path); -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing loop-termination check when btrfs_search_slot_for_read() returns 1 (end of tree), causing subsequent access to an invalid path/leaf in btrfs_quota_enable()."
Attack vector
An attacker with the ability to trigger quota enablement on a btrfs filesystem (via the BTRFS_IOC_ENABLE_QUOTA ioctl or equivalent) can cause the kernel to read from an invalid b-tree leaf. When btrfs_search_slot_for_read() returns 1, indicating no key was found and the path is invalid, the old code used `continue` instead of `break`, so the loop proceeded to call btrfs_next_item() on the invalid path, leading to a use of an invalid leaf pointer. No special network access is required; the attack is local and requires the CAP_SYS_ADMIN capability or root privileges to enable quotas.
Affected code
The vulnerable code is in the function btrfs_quota_enable() in fs/btrfs/qgroup.c. The loop that searches for ref keys using btrfs_search_slot_for_read() had a `continue` statement when the function returned 1, which should have been a `break` to exit the loop when the end of the tree is reached [patch_id=2660815].
What the fix does
The patch changes the `continue` to `break` in the `if (ret > 0)` branch inside btrfs_quota_enable() [patch_id=2660815]. When btrfs_search_slot_for_read() returns 1, the path is no longer valid because the search reached the end of the tree. The old code incorrectly continued the loop, which then called btrfs_next_item() on the invalid path. The fix stops the search loop immediately, preventing any access to the invalid path. The comment is also updated to clarify that reaching this condition means the end of the tree has been reached.
Preconditions
- authAttacker must have the ability to enable btrfs quotas (requires root/CAP_SYS_ADMIN)
- inputThe btrfs filesystem must have a tree structure where a ref key lookup can reach the end of the tree (return 1 from btrfs_search_slot_for_read)
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/023545e272f369d487e6a986c1e321c6e04be1danvd
- git.kernel.org/stable/c/0761447f6f51e1c7997960d8e6559337deed6729nvd
- git.kernel.org/stable/c/1ee1d006c9fe4d6be5527ab1c84216b80cccbe40nvd
- git.kernel.org/stable/c/b2bd557b75b760e4b9d209112bda19314bd64558nvd
- git.kernel.org/stable/c/b5b8ade9da452086e78f5d519b90d3769e354853nvd
- git.kernel.org/stable/c/d7cf2314dd5e8661c05d076cd627eea9a7f76616nvd
- git.kernel.org/stable/c/ecb7c2484cfc83a93658907580035a8adf1e0a92nvd
- git.kernel.org/stable/c/fd4913a53e3b54ad7e161847291439fe445d6356nvd
News mentions
0No linked articles in our index yet.