Linux Kernel Btrfs Use-After-Free Vulnerability in Block Group Relocation

A use-after-free vulnerability has been identified in the Btrfs file system component of the Linux kernel. This issue arises in the block group relocation process, specifically within the 'prepare_to_relocate()' function. When a transaction commit fails, the relocation control is not properly cleared, leading to a potential use-after-free scenario. This vulnerability can be triggered by invoking 'btrfs_ioctl_balance()' before 'btrfs_ioctl_defrag()'.

Impact

Exploitation of this vulnerability causes a use-after-free bug, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

To reproduce this vulnerability, first call the 'btrfs_ioctl_balance()' function to initiate a balance operation. Then, invoke 'btrfs_ioctl_defrag()' before the balance operation completes. This sequence will trigger the use-after-free condition by causing the relocation control to be accessed after it has been freed.

Remediation

The vulnerability has been addressed in the Linux kernel by adding a check in the 'prepare_to_relocate()' function to ensure that the relocation control is cleared if the transaction commit fails.