Linux Kernel Btrfs Free Space Tree Assertion Removal Vulnerability

A vulnerability exists in the Linux kernel's Btrfs file system related to the management of the free space tree. When building this tree, the system incorrectly asserts that block group items will always be found in the extent tree, unless the block group tree feature is enabled. This assumption fails because new block groups can be created in the current transaction without their items being added to the extent tree, leading to an assertion failure. The issue has been reported by Syzbot, which encountered a kernel bug due to this incorrect assertion.

Impact

The vulnerability can cause a kernel panic by triggering an assertion failure, which is treated as a critical error in the kernel, leading to a crash.

Reproduction

The vulnerability can be reproduced by mounting a Btrfs file system and then creating a new block group in a transaction that is still open. Afterward, the free space tree can be rebuilt, which will trigger the assertion failure because the block group's item has not yet been inserted into the extent tree.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed.