Critical Vulnerability Information Vulnerability Description: - The Btrfs filesystem does not abort when attempting to create a snapshot of a deleted subvolume. - If the ioctl used for snapshotting points to a deleted subvolume, it results in the following crash: - - - Root Cause: - initializes a new root item as a copy of the source root item, including the refs field, but not the subvolume's ref. - Calling inserts a root with ref count 0, returning , which causes to abort. Mitigation: - Check the source root's refs before attempting the snapshot, but after acquiring the lock to avoid race conditions with deletion. Related Code Changes: - Modified to add checks for and . Sign-offs and Reviews: - Sign-offs: Greg Kroah-Hartman, David Sterba, Anand Jain, Sweet Tea Dorminy, Larry Bassel - Reviews: David Sterba, Anand Jain, Sweet Tea Dorminy