Linux Kernel Btrfs Race Condition Vulnerability Leading to Assertion Failure

A race condition vulnerability has been identified in the Linux kernel's Btrfs file system. This issue arises during the asynchronous metadata reclaim process, where the system attempts to add a delayed 'iput' (inode reference drop) after the 'fs_info' state has been modified to disallow such actions. The vulnerability was triggered by the interaction between the async reclaim worker and the unmount process, leading to an assertion failure. The problem was introduced by a recent commit that added extra validation for delayed 'iput' operations.

Impact

Exploitation of this vulnerability causes an assertion failure, disrupting the normal operation of the Btrfs file system.

Reproduction

The vulnerability can be reproduced by initiating an unmount sequence while an asynchronous metadata reclaim process is active. This can be done by triggering the reclaim worker to enter the 'shrink_delalloc()' function, which manages the deletion of allocated but unwritten data. During this process, the worker can be made to handle an inode that is also being processed by the unmount sequence, creating a race condition that leads to the assertion failure.

Remediation

The vulnerability has been addressed in the Linux kernel by modifying the unmount process to wait for the asynchronous reclaim workers to finish before changing the 'fs_info' state. Users should upgrade to the latest version of the Linux kernel where this fix has been implemented.