Linux Kernel Btrfs Delayed Reference Error Reporting Vulnerability

A vulnerability in the Linux kernel's Btrfs file system component relates to inadequate error reporting in the 'run_one_delayed_ref()' function. This lack of proper error handling can lead to use-after-free issues, as the function may free a node that is still in use. Although the function's failure is currently logged with 'btrfs_debug()', this debug information is not available to end users when the problem occurs. The vulnerability has been addressed by enhancing error reporting to include additional context, such as logical byte number, number of bytes, type, action, and reference modification. The error reporting has been moved into the 'run_one_delayed_ref()' function' to prevent use-after-free scenarios. When an error occurs, it triggers a message that cascades up the call chain, ultimately aborting the current transaction. However, if delayed references need to be processed for an aborted transaction, 'run_one_delayed_ref()' will simply clean up the references without generating new error messages.

Impact

Exploitation of this vulnerability could lead to use-after-free conditions, potentially allowing for memory corruption or other unintended behavior in the Btrfs file system.