Linux Kernel Btrfs NULL Pointer Dereference Vulnerability Leading to Kernel Panic

A race condition has been identified in the Btrfs file system component of the Linux kernel, specifically within the tree modification log rewind process. This race condition can cause a kernel panic by triggering a NULL pointer dereference. The issue arises when logical inode resolution takes a tree modification log sequence number, and a backreference walk encounters a rewind on a busy node. This sequence of operations can create invalid entries that, when accessed, lead to a crash. The vulnerability is present in Linux kernel versions through 5.15.

Impact

Exploitation of this vulnerability causes a kernel panic, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by introducing delays in the 'btrfs_search_old_slot' function. This encourages more frequent log rewinding during 'ino_to_logical' IOCTL operations, which can trigger the race condition and subsequent kernel panic.

Remediation

Users can upgrade to the latest stable version of the Linux kernel to address this vulnerability.