Linux Kernel Btrfs RAID5 Metadata Writeback Error Vulnerability

A vulnerability in the Linux kernel's Btrfs file system can lead to a use-after-free error when using RAID5 metadata. This issue occurs because, after the file system encounters an error and is marked as such, no new transactions are allowed, leaving metadata in a frozen state. However, some metadata modifications may still be cached as dirty, and when the system attempts to write this data back, it can trigger a crash by queuing new work into a stopped work queue. This vulnerability affects Btrfs file systems in Linux kernel versions 6.6 and later.

Impact

Exploitation of this vulnerability can cause a use-after-free error, potentially leading to memory corruption or other undefined behavior.

Reproduction

The vulnerability can be reproduced by running the Btrfs file system with RAID5 metadata and applying a workload similar to that used in the generic/388 test case. This will trigger the conditions that lead to the use-after-free error.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed.