CVE-2026-43046

In the Linux kernel, the following vulnerability has been resolved:

btrfs: reject root items with drop progress and zero drop level

[BUG] When recovering relocation at mount time, merge reloc root() and btrfs drop snapshot() both use BUG ON(level == 0) to guard against an impossible state: a non-zero drop progress combined with a zero drop level in a root item, which can be triggered:

------------[ cut here ]------------ kernel BUG at fs/btrfs/relocation.c:1545! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 1 UID: 0 PID: 283 ... Tainted: 6.18.0+ #16 PREEMPT(voluntary) Tainted: [O]=OOT MODULE, [E]=UNSIGNED MODULE Hardware name: QEMU Ubuntu 24.04 PC v2, BIOS 1.16.3-debian-1.16.3-2 RIP: 0010:merge reloc root+0x1266/0x1650 fs/btrfs/relocation.c:1545 Code: ffff0000 00004589 d7e9acfa ffffe8a1 79bafebe 02000000 Call Trace: merge reloc roots+0x295/0x890 fs/btrfs/relocation.c:1861 btrfs recover relocation+0xd6e/0x11d0 fs/btrfs/relocation.c:4195 btrfs start pre rw mount+0xa4d/0x1810 fs/btrfs/disk-io.c:3130 open ctree+0x5824/0x5fe0 fs/btrfs/disk-io.c:3640 btrfs fill super fs/btrfs/super.c:987 [inline] btrfs get tree super fs/btrfs/super.c:1951 [inline] btrfs get tree subvol fs/btrfs/super.c:2094 [inline] btrfs get tree+0x111c/0x2190 fs/btrfs/super.c:2128 vfs get tree+0x9a/0x370 fs/super.c:1758 fc mount fs/namespace.c:1199 [inline] do new mount fc fs/namespace.c:3642 [inline] do new mount fs/namespace.c:3718 [inline] path mount+0x5b8/0x1ea0 fs/namespace.c:4028 do mount fs/namespace.c:4041 [inline] do sys mount fs/namespace.c:4229 [inline] se sys mount fs/namespace.c:4206 [inline] x64 sys mount+0x282/0x320 fs/namespace.c:4206 ... RIP: 0033:0x7f969c9a8fde Code: 0f1f4000 48c7c2b0 fffffff7 d8648902 b8ffffff ffc3660f ---[ end trace 0000000000000000 ]---

The bug is reproducible on 7.0.0-rc2-next-20260310 with our dynamic metadata fuzzing tool that corrupts btrfs metadata at runtime.

[CAUSE] A non-zero drop progress.objectid means an interrupted btrfs drop snapshot() left a resume point on disk, and in that case drop level must be greater than 0 because the checkpoint is only saved at internal node levels.

Although this invariant is enforced when the kernel writes the root item, it is not validated when the root item is read back from disk. That allows on-disk corruption to provide an invalid state with drop progress.objectid != 0 and drop level == 0.

When relocation recovery later processes such a root item, merge reloc root() reads drop level and hits BUG ON(level == 0). The same invalid metadata can also trigger the corresponding BUG ON() in btrfs drop snapshot().

[FIX] Fix this by validating the root item invariant in tree-checker when reading root items from disk: if drop progress.objectid is non-zero, drop level must also be non-zero. Reject such malformed metadata with -EUCLEAN before it reaches merge reloc root() or btrfs drop snapshot() and triggers the BUG ON.

After the fix, the same corruption is correctly rejected by tree-checker and the BUG ON is no longer triggered.