Linux Kernel Btrfs NULL Pointer Dereference Vulnerability

A NULL pointer dereference vulnerability has been identified in the Linux kernel's Btrfs file system. This issue arises because the function 'btrfs_prelim_ref()' incorrectly orders its reference arguments, intentionally passing a NULL value as the old reference to 'trace_btrfs_prelim_ref_insert()'. This misalignment causes a NULL pointer dereference, leading to a kernel crash. The vulnerability can be reproduced by enabling the 'trace_btrfs_prelim_ref_insert' event, performing writeback operations, and then triggering a backtrace that reveals the NULL pointer dereference.

Impact

Exploitation of this vulnerability leads to a kernel NULL pointer dereference, causing a crash and disruption of system operations.

Reproduction

To reproduce this vulnerability, first enable the tracing of Btrfs preliminary reference inserts by writing to the appropriate trace event. After activating the trace, perform writeback operations that would trigger the Btrfs file system to process data. The vulnerability manifests as a NULL pointer dereference, which can be observed in the system logs as a kernel oops message, indicating a crash due to the invalid memory access.