Linux Kernel Btrfs Quota Feature Assertion Failure Vulnerability

A vulnerability in the Linux kernel's Btrfs file system has been identified, related to the management of simple quotas. When quotas are enabled, an incompatibility bit should be set before the transaction is committed. However, the current implementation only sets the bit after the transaction, leading to a potential assertion failure. This issue can be reproduced by enabling quotas on a Btrfs file system, unmounting it, and then remounting without committing a new transaction, which causes the missing incompatibility bit to trigger an assertion error.

Impact

The vulnerability causes a kernel assertion failure, leading to a crash. This is due to the Btrfs file system's quota management not properly synchronizing flags, causing an inconsistency that the kernel's error handling cannot manage.

Reproduction

The vulnerability can be reproduced by creating a Btrfs file system on a block device, mounting it, enabling simple quotas, unmounting the file system, and then remounting it without committing a new transaction. This sequence exposes the missing incompatibility bit, causing the assertion failure.

Remediation

The vulnerability has been addressed in the Linux kernel by adjusting the order in which the quota flags are set, ensuring that both the status and incompatibility bits are properly synchronized within the same transaction.