CVE-2026-31519
Received Received - Intake
Race Condition in Linux btrfs Subvolume Creation Causing Dentry Corruption

Publication date: 2026-04-22

Last updated on: 2026-04-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create We have recently observed a number of subvolumes with broken dentries. ls-ing the parent dir looks like: drwxrwxrwt 1 root root 16 Jan 23 16:49 . drwxr-xr-x 1 root root 24 Jan 23 16:48 .. d????????? ? ? ? ? ? broken_subvol and similarly stat-ing the file fails. In this state, deleting the subvol fails with ENOENT, but attempting to create a new file or subvol over it errors out with EEXIST and even aborts the fs. Which leaves us a bit stuck. dmesg contains a single notable error message reading: "could not do orphan cleanup -2" 2 is ENOENT and the error comes from the failure handling path of btrfs_orphan_cleanup(), with the stack leading back up to btrfs_lookup(). btrfs_lookup btrfs_lookup_dentry btrfs_orphan_cleanup // prints that message and returns -ENOENT After some detailed inspection of the internal state, it became clear that: - there are no orphan items for the subvol - the subvol is otherwise healthy looking, it is not half-deleted or anything, there is no drop progress, etc. - the subvol was created a while ago and does the meaningful first btrfs_orphan_cleanup() call that sets BTRFS_ROOT_ORPHAN_CLEANUP much later. - after btrfs_orphan_cleanup() fails, btrfs_lookup_dentry() returns -ENOENT, which results in a negative dentry for the subvolume via d_splice_alias(NULL, dentry), leading to the observed behavior. The bug can be mitigated by dropping the dentry cache, at which point we can successfully delete the subvolume if we want. i.e., btrfs_lookup() btrfs_lookup_dentry() if (!sb_rdonly(inode->vfs_inode)->vfs_inode) btrfs_orphan_cleanup(sub_root) test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP) btrfs_search_slot() // finds orphan item for inode N ... prints "could not do orphan cleanup -2" if (inode == ERR_PTR(-ENOENT)) inode = NULL; return d_splice_alias(NULL, dentry) // NEGATIVE DENTRY for valid subvolume btrfs_orphan_cleanup() does test_and_set_bit(BTRFS_ROOT_ORPHAN_CLEANUP) on the root when it runs, so it cannot run more than once on a given root, so something else must run concurrently. However, the obvious routes to deleting an orphan when nlinks goes to 0 should not be able to run without first doing a lookup into the subvolume, which should run btrfs_orphan_cleanup() and set the bit. The final important observation is that create_subvol() calls d_instantiate_new() but does not set BTRFS_ROOT_ORPHAN_CLEANUP, so if the dentry cache gets dropped, the next lookup into the subvolume will make a real call into btrfs_orphan_cleanup() for the first time. This opens up the possibility of concurrently deleting the inode/orphan items but most typical evict() paths will be holding a reference on the parent dentry (child dentry holds parent->d_lockref.count via dget in d_alloc(), released in __dentry_kill()) and prevent the parent from being removed from the dentry cache. The one exception is delayed iputs. Ordered extent creation calls igrab() on the inode. If the file is unlinked and closed while those refs are held, iput() in __dentry_kill() decrements i_count but does not trigger eviction (i_count > 0). The child dentry is freed and the subvol dentry's d_lockref.count drops to 0, making it evictable while the inode is still alive. Since there are two races (the race between writeback and unlink and the race between lookup and delayed iputs), and there are too many moving parts, the following three diagrams show the complete picture. (Only the second and third are races) Phase 1: Create Subvol in dentry cache without BTRFS_ROOT_ORPHAN_CLEANUP set btrfs_mksubvol() lookup_one_len() __lookup_slow() d_alloc_parallel() __d_alloc() // d_lockref.count = 1 create_subvol(dentry) // doesn't touch the bit.. d_instantiate_new(dentry, inode) // dentry in cache with d_lockref.c ---truncated---
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-28
Generated
2026-05-07
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31519
EUVD
EUVD-2026-24903
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.131 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.80 (exc)
linux linux_kernel From 2.6.32.19 (inc) to 2.6.33 (exc)
linux linux_kernel From 2.6.33 (inc) to 6.1.168 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's btrfs filesystem, specifically related to the handling of subvolumes and orphan cleanup. When a subvolume is created, a flag called BTRFS_ROOT_ORPHAN_CLEANUP is not set properly. This leads to a situation where subvolumes can appear with broken dentries (directory entries), causing errors when listing or accessing them.

In this broken state, deleting the subvolume fails with an ENOENT error (indicating the entity does not exist), but attempts to create new files or subvolumes over it fail with an EEXIST error (indicating the entity already exists), sometimes even causing the filesystem to abort. The root cause is a race condition involving orphan cleanup and dentry cache management, where the orphan cleanup function btrfs_orphan_cleanup() is not triggered correctly on the first lookup, leading to negative dentries for valid subvolumes.


How can this vulnerability impact me? :

This vulnerability can cause subvolumes in the btrfs filesystem to become stuck in a broken state where they cannot be deleted or overwritten normally. This can lead to filesystem inconsistencies and operational issues, such as inability to manage subvolumes properly.

Specifically, users may encounter errors when trying to list, access, delete, or create files or subvolumes in affected directories. The filesystem may also abort operations due to these errors, potentially causing disruptions or data management difficulties.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by observing broken subvolumes in the Btrfs filesystem. Specifically, listing the parent directory of the subvolume may show entries with question marks instead of normal permissions and ownership, for example:

  • drwxrwxrwt 1 root root 16 Jan 23 16:49 .
  • drwxr-xr-x 1 root root 24 Jan 23 16:48 ..
  • d????????? ? ? ? ? ? broken_subvol

Additionally, attempting to stat the broken subvolume will fail. The kernel log (dmesg) will contain an error message similar to:

  • "could not do orphan cleanup -2"

Therefore, commands to detect this issue include:

  • ls -l /path/to/parent_dir # to observe broken dentries
  • stat /path/to/broken_subvol # will fail
  • dmesg | grep 'could not do orphan cleanup -2' # to find related kernel error messages

What immediate steps should I take to mitigate this vulnerability?

The vulnerability can be mitigated by dropping the dentry cache, which allows successful deletion of the affected subvolume.

This can be done by running the following command as root:

  • echo 2 > /proc/sys/vm/drop_caches

After dropping the dentry cache, attempts to delete the broken subvolume should succeed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart