Linux Kernel Btrfs Block Group Refcount Race Vulnerability

A vulnerability in the Linux kernel's Btrfs file system has been identified, related to a race condition in block group reference counting. This issue arises during the two-phase process of block group creation, where a block group can be allocated or deallocated before the creation process is fully completed. Consequently, a block group may remain unused while 'btrfs_mark_bg_unused' is called, leading to a reference count underflow and a use-after-free condition. This vulnerability can cause warnings about refcount underflow and has been observed in the Btrfs discard work function, particularly after relocation processes that cancel discard operations and dismantle block groups.

Impact

Exploitation of this vulnerability leads to a reference count underflow, causing a use-after-free condition. This can result in memory corruption issues, where freed memory is improperly accessed, potentially leading to arbitrary code execution or other severe consequences.