Linux Kernel Btrfs RAID1 Profile Write Pointer Mismatch Vulnerability Leading to NULL Pointer Dereference

A vulnerability in the Linux kernel's Btrfs file system has been identified, specifically within the RAID1 profile. The issue arises from a write pointer offset mismatch between disks, which leads to a NULL pointer dereference. This problem occurs when the default metadata profile DUP is converted to a RAID1 profile on two disks. The mismatch causes Btrfs to mark the block group as full, disrupting normal operations and potentially leading to data management issues.

Impact

Exploitation of this vulnerability causes a kernel panic due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by creating a RAID1 block group in Btrfs and introducing a write pointer mismatch between the disks. This can be done by converting the default metadata profile DUP to RAID1 on two disks, which triggers the mismatch. Once the mismatch is detected, Btrfs will mark the block group as full, but the underlying issue will cause a NULL pointer dereference, leading to a kernel panic.