Linux Kernel Btrfs Subvolume Deletion Lockup Vulnerability Due to Inode Xarray Race Condition

A race condition has been identified in the Linux kernel's Btrfs file system, specifically in versions 6.11 and later. This vulnerability arises from a conflict between inode eviction and caching, which can result in a live Btrfs inode structure being absent from the root's inodes xarray. The issue occurs during the eviction process, where the inode is unhashed but not yet removed from the xarray. If the Btrfs 'iget' function is called for the same inode during this interval, it can be recreated and added to the xarray. However, the eviction process will then delete this new entry, leaving the xarray empty. This situation can disrupt subvolume deletion processes, leading to premature calls to 'btrfs_add_dead_root' and causing infinite loops when cleaning up deleted snapshots, as observed in production environments.

Impact

Exploitation of this vulnerability can cause soft lockups, where the system becomes unresponsive due to a process being stuck in a loop, unable to complete its task.

Reproduction

The vulnerability can be reproduced by creating a scenario where an inode is evicted and unhashed, but not yet removed from the xarray. During this window, if 'btrfs_iget()' is called for the same inode, it will be reinserted into the xarray. However, the eviction process will delete this new entry, creating a 'lost' state. If all other inodes are then evicted, the Btrfs deletion process will call 'btrfs_add_dead_root()' prematurely. If the lost inode has a delayed_node attached, it will cause 'btrfs_clean_one_deleted_snapshot()' to loop indefinitely, as the delayed_nodes xarray will never clear, unless memory pressure forces the inode out.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.