Linux Kernel Btrfs Subpage TOWRITE Tag Ordering Vulnerability

A vulnerability in the Linux kernel's Btrfs file system can disrupt the proper handling of write operations, particularly in zoned setups. The issue arises because the Btrfs subsystem clears the TOWRITE tag from a folio before all dirty blocks have been written, violating the expected order of operations. This flaw can lead to assertions failing and kernel bugs, especially when file sizes are truncated before all data has been properly flushed. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can cause kernel panics due to invalid opcode errors, disrupting normal system operations. In Btrfs zoned file systems, it can lead to improper file handling, causing assertions to fail and potentially allowing for data corruption or loss.

Reproduction

The vulnerability can be reproduced by creating a scenario where one process initiates a write operation on a folio, leaving some pages dirty, while another process concurrently tags the folio for writeback. The first process can clear the TOWRITE tag before the folio is fully written, causing the second process to overlook it and exit prematurely, breaking the required synchronization order.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.