Linux Kernel Btrfs Deadlock Vulnerability During Inode Lookup Ioctl

A deadlock vulnerability has been identified in the Linux kernel's Btrfs file system, specifically within the 'ino lookup' ioctl operation. This issue arises when the 'btrfs_iget()' function is called to retrieve an inode reference while holding a lock on a root's B-tree. If the requested inode is not in memory and needs to be fetched from the B-tree, 'btrfs_iget()' must lock another path in the same root B-tree, potentially leading to a circular locking dependency and a deadlock. The problem has been observed in Linux kernel version 6.5.0-rc7.

Impact

Exploitation of this vulnerability causes a deadlock, where the system becomes unresponsive due to circular locking dependencies.

Reproduction

The vulnerability can be reproduced by invoking the 'ino lookup' ioctl on a Btrfs file system. This can be done by mounting a Btrfs file system and then using a tool or script that sends 'ino lookup' ioctl requests, such as 'syzkaller', a fuzzing tool that can automate this process. The deadlock occurs when the ioctl tries to look up an inode that is not in memory, forcing the kernel to lock B-tree paths, creating a circular dependency that leads to the deadlock.

Remediation

Users can upgrade to the patched versions of the Linux kernel where this vulnerability has been addressed. Instructions for upgrading the Linux kernel can typically be found in the documentation for the specific Linux distribution in use.