Linux Kernel Ext4 Deadlock Vulnerability in Xattr Block Management

A deadlock vulnerability has been identified in the Linux kernel's ext4 file system when handling extended attribute (xattr) blocks. This issue arises from a corruption of the mbcache entry, leading to an infinite loop in the function ext4_xattr_block_set(). The problem occurs because the cache entry for the xattr block is incorrectly marked as reusable, despite its reference count being too high for reuse. This inconsistency, caused by a non-atomic update of the reusable bit, allows the reference count update to clash with the referenced bit update, creating a persistent erroneous state. As a result, the function continuously retries to reuse the block, causing a deadlock. This vulnerability has existed for several years but became significantly more pronounced after a previous commit intended to fix a related issue.

Impact

The vulnerability leads to a denial-of-service condition, causing the system to become unresponsive while the deadlock is active.

Reproduction

To reproduce this vulnerability, manipulate xattr blocks in a way that triggers the non-atomic update of the mbcache entry flags. This can be done by reusing xattr blocks in the mbcache while their reference counts are still high, creating a race condition that the kernel does not handle properly. Once the inconsistency occurs, the ext4_xattr_block_set() function will enter an infinite loop, causing a deadlock.

Remediation

The vulnerability has been addressed by updating the mbcache entry management to use atomic operations for the reusable and referenced flags, preventing the race condition that leads to the deadlock. Users should upgrade to the patched version of the Linux kernel where this fix is applied.