Linux Kernel Btrfs Double Accounting Race Vulnerability Leading to Kernel Panic

A vulnerability in the Linux kernel's Btrfs file system has been identified, where a double accounting race can occur when the function 'btrfs_run_delalloc_range()' fails. This issue is prevalent in environments running Btrfs with a block size of 4K, smaller than the 64K page size typical for AArch64 architecture. The vulnerability can cause a kernel crash, as evidenced by a kernel panic triggered by a null pointer dereference. The problem arises during the handling of allocated but not yet written data, particularly when the file system's ordered extent accounting becomes corrupted. The vulnerability has been resolved in the Linux kernel.

Impact

Exploitation of this vulnerability leads to a kernel panic, causing a crash of the operating system.

Reproduction

The vulnerability can be reproduced by running the Linux kernel with Btrfs file system under AArch64 architecture, using a block size of 4K and a page size of 64K. This configuration creates a high likelihood of encountering the double accounting race when 'btrfs_run_delalloc_range()' fails, ultimately leading to a kernel crash.