Linux Kernel Btrfs Free Space Cache Corruption Vulnerability Allowing Double Allocations

A vulnerability in the Linux kernel's Btrfs file system has been identified, related to the management of free space caching. This issue can lead to corruption in the free space tree and double allocations of space. The vulnerability arises from a race condition between caching free space for a block group and returning free space to the in-memory cache for pinned extents. This can cause a free range to be added twice to the space cache, particularly when free space is cached from the free space tree or the extent tree. The problem was introduced by a previous commit that allowed multiple transactions to unpin extents simultaneously, disrupting the intended synchronization and leading to the observed symptoms of free space management errors and inconsistencies.

Impact

Exploitation of this vulnerability can cause free space management errors, such as 'unable to add free space' (EEXIST) errors, missing free space information, and corruption of the free space tree. This corruption can worsen over time as extents are deleted and reallocated, potentially leading to significant file system management issues.

Reproduction

The vulnerability can be reproduced by enabling space_cache v2 on a Btrfs file system and performing operations that involve pinning extents and managing free space. The race condition can be triggered by concurrently unpinning extents in different transactions, which allows the same free space to be incorrectly accounted for multiple times.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability. Instructions for downloading the patched version can be found in the Linux kernel repository.