Linux Kernel Btrfs Tree Modification Log Vulnerability Leading to Kernel Panic

A vulnerability in the Linux kernel's Btrfs file system has been identified, related to improper handling of reallocated nodes in the tree modification log. This issue can cause a kernel panic, with the error 'kernel BUG at fs/btrfs/tree-mod-log.c:677' indicating an invalid opcode. The vulnerability arises when the system incorrectly replays tree modification operations for a block that should not have been processed, particularly during 'KEY_REPLACE' and 'KEY_REMOVE_WHILE_FREEING' operations. This mismanagement can lead to a crash by triggering a bug in the tree modification log handling.

Impact

Exploitation of this vulnerability causes a kernel panic, leading to a system crash.

Reproduction

The vulnerability can be reproduced by performing a sequence of operations that involve modifying Btrfs tree roots and reallocating nodes. This process should include removing items from a root node, triggering 'KEY_REPLACE' operations, and then reallocating nodes to a different root, which causes the tree modification log to mishandle the reallocated nodes, ultimately leading to a kernel panic.