Linux Kernel Btrfs Subpage Blocksize Panic Vulnerability

A vulnerability in the Linux kernel's Btrfs file system has been identified, which leads to a kernel panic. This issue occurs in versions 6.1 and later, including the 6.4.0-rc7 release. The panic is triggered during the 'btrfs_cont_expand' function when the page private data is cleared, but the page remains in the file mapping. This discrepancy causes an assertion failure, as the subpage modification process expects the page to be private. The vulnerability arises because the 'release_folio' function can remove the page's private status, leaving it improperly mapped for subpage operations. The issue can be reproduced by running the generic/476 test with the 'fsstress' workload, which simulates file system activity and triggers the panic by creating a scenario where the page private data is cleared before the subpage bits can be modified.

Impact

Exploitation of this vulnerability causes a kernel panic, leading to a denial of service by crashing the system.

Reproduction

The vulnerability can be reproduced by running the generic/476 test in the Btrfs file system with the 'fsstress' workload. This combination triggers the kernel panic by clearing the page private data while leaving the page in the file mapping, causing an assertion failure in the Btrfs subpage handling code.

Remediation

Users can apply the patch included in the Linux kernel stable commit '17b17fcd6d446b95904a6929c40012ee7f0afc0c' to address this vulnerability.