Linux Kernel Btrfs Quota Root Deletion Race Condition Vulnerability

A race condition vulnerability has been identified in the Linux kernel's Btrfs file system. When quotas are disabled, the kernel removes the quota root from the 'dirty_cowonly_roots' list without properly synchronizing this action. This unsynchronized removal can lead to conflicts if another process concurrently modifies the same list, potentially causing various failures, including a general protection fault crash. The issue arises from the lack of proper locking during the deletion process, which can disrupt the file system's stability.

Impact

Exploitation of this vulnerability can lead to a general protection fault, causing a crash. Such a crash can disrupt system operations and potentially lead to a denial of service.

Reproduction

To reproduce this vulnerability, disable quota management on a Btrfs file system. The kernel will attempt to remove the associated quota root from the 'dirty_cowonly_roots' list. If another process concurrently adds a root to the same list, the unsynchronized removal can cause a race condition, leading to a crash. This issue can be observed in a QEMU virtual machine running the affected Linux kernel version.

Remediation

The vulnerability has been addressed by modifying the Btrfs quota management code to include the necessary locks during the deletion process. Users should apply the latest patches available in the Linux kernel stable tree to mitigate this issue.