Linux Kernel Btrfs Sub-Group Space Info Kobject Name Leak Vulnerability

A memory leak vulnerability has been identified in the Linux kernel's Btrfs file system. When the function create_space_info_sub_group() allocates elements for the sub-group space information, it initializes each element as a kobject and adds it to the sysfs. However, the cleanup function check_removing_space_info() fails to properly remove these kobjects before freeing them, leading to a leak of the kobject names. This issue has been observed in kernels with the DEBUG_KMEMLEAK option enabled, where the memory leak can be detected by the kmemleak tool.

Impact

Exploitation of this vulnerability leads to a memory leak, where kobject names are not properly released, causing unnecessary memory consumption.

Reproduction

The vulnerability can be reproduced by running the blktests test case zbd/009 on a kernel built with the CONFIG_DEBUG_KMEMLEAK option. This test case triggers the memory leak by creating sub-group space information kobjects that are not properly cleaned up, allowing kmemleak to report the unreferenced objects as a memory leak.

Remediation

To address this vulnerability, the Btrfs file system should be updated to call btrfs_sysfs_remove_space_info() instead of kfree() when freeing the sub-group space information elements. Instructions for applying this patch can be found in the Linux kernel Git repository.