Linux Kernel JBD2 Journal Assertion Failure Vulnerability

A vulnerability in the Linux kernel's JBD2 journaling layer can lead to an assertion failure in the 'jbd2_journal_dirty_metadata' function. This issue occurs when the journal is aborted, and the buffer head's transaction state is not properly cleared before the journal is committed. The vulnerability can cause a kernel panic by triggering a 'BUG' assertion failure, indicating a serious flaw in the journal handling process.

Impact

Exploitation of this vulnerability causes a kernel panic, leading to a crash of the affected system.

Reproduction

The vulnerability can be reproduced by unlinking a directory entry, which initiates a transaction. After the journal is aborted, another unlink operation is performed, causing the buffer head to retain a reference to the aborted transaction. When 'jbd2_journal_dirty_metadata' is called, the assertion 'jh->b_frozen_data == NULL' fails, as the buffer head is still holding onto the frozen data from the previous operation, leading to an assertion failure and a kernel panic.