CVE-2026-31519

In the Linux kernel, the following vulnerability has been resolved:

btrfs: set BTRFSROOTORPHAN_CLEANUP during subvol create

We have recently observed a number of subvolumes with broken dentries. ls-ing the parent dir looks like:

drwxrwxrwt 1 root root 16 Jan 23 16:49 . drwxr-xr-x 1 root root 24 Jan 23 16:48 .. d????????? ? ? ? ? ? broken_subvol

and similarly stat-ing the file fails.

In this state, deleting the subvol fails with ENOENT, but attempting to create a new file or subvol over it errors out with EEXIST and even aborts the fs. Which leaves us a bit stuck.

dmesg contains a single notable error message reading: "could not do orphan cleanup -2"

2 is ENOENT and the error comes from the failure handling path of btrfsorphancleanup(), with the stack leading back up to btrfs_lookup().

btrfslookup btrfslookupdentry btrfsorphan_cleanup // prints that message and returns -ENOENT

After some detailed inspection of the internal state, it became clear that: - there are no orphan items for the subvol - the subvol is otherwise healthy looking, it is not half-deleted or anything, there is no drop progress, etc. - the subvol was created a while ago and does the meaningful first btrfsorphancleanup() call that sets BTRFSROOTORPHANCLEANUP much later. - after btrfsorphancleanup() fails, btrfslookupdentry() returns -ENOENT, which results in a negative dentry for the subvolume via dsplice_alias(NULL, dentry), leading to the observed behavior. The bug can be mitigated by dropping the dentry cache, at which point we can successfully delete the subvolume if we want.

i.e., btrfslookup() btrfslookupdentry() if (!sbrdonly(inode->vfsinode)->vfsinode) btrfsorphancleanup(subroot) testandsetbit(BTRFSROOTORPHANCLEANUP) btrfssearchslot() // finds orphan item for inode N ... prints "could not do orphan cleanup -2" if (inode == ERRPTR(-ENOENT)) inode = NULL; return dsplicealias(NULL, dentry) // NEGATIVE DENTRY for valid subvolume

btrfsorphancleanup() does testandsetbit(BTRFSROOTORPHANCLEANUP) on the root when it runs, so it cannot run more than once on a given root, so something else must run concurrently. However, the obvious routes to deleting an orphan when nlinks goes to 0 should not be able to run without first doing a lookup into the subvolume, which should run btrfsorphancleanup() and set the bit.

The final important observation is that createsubvol() calls dinstantiatenew() but does not set BTRFSROOTORPHANCLEANUP, so if the dentry cache gets dropped, the next lookup into the subvolume will make a real call into btrfsorphancleanup() for the first time. This opens up the possibility of concurrently deleting the inode/orphan items but most typical evict() paths will be holding a reference on the parent dentry (child dentry holds parent->dlockref.count via dget in dalloc(), released in _dentrykill()) and prevent the parent from being removed from the dentry cache.

The one exception is delayed iputs. Ordered extent creation calls igrab() on the inode. If the file is unlinked and closed while those refs are held, iput() in __dentrykill() decrements icount but does not trigger eviction (icount > 0). The child dentry is freed and the subvol dentry's dlockref.count drops to 0, making it evictable while the inode is still alive.

Since there are two races (the race between writeback and unlink and the race between lookup and delayed iputs), and there are too many moving parts, the following three diagrams show the complete picture. (Only the second and third are races)

Phase 1: Create Subvol in dentry cache without BTRFSROOTORPHAN_CLEANUP set

btrfsmksubvol() lookupone_len() __lookupslow() dalloc_parallel() __dalloc() // dlockref.count = 1 createsubvol(dentry) // doesn't touch the bit.. dinstantiatenew(dentry, inode) // dentry in cache with dlockref.c ---truncated---