Linux Kernel Btrfs Subvolume Orphan Cleanup Vulnerability

A vulnerability in the Linux kernel's Btrfs file system has been identified, related to the management of subvolume orphan items. When a subvolume is created, it is supposed to have its orphan items cleaned during the first lookup. However, a race condition can occur, leaving the subvolume in a state with a 'broken' dentry, which disrupts normal file system operations. This issue arises because the subvolume creation process does not immediately set the orphan cleanup flag, allowing for concurrent operations that can interfere with proper subvolume management. As a result, attempts to delete the subvolume can fail, while creating new files or subvolumes in the same directory can lead to file system errors.

Impact

The vulnerability can cause subvolumes to become unmanageable, with broken dentries preventing deletion and overlapping file creation attempts leading to file system errors.

Reproduction

To reproduce this vulnerability, create a new subvolume in Btrfs without the orphan cleanup flag being set. This can be done by initiating a subvolume creation and then, before the process completes, create a delayed 'iput' for a file within that subvolume. Once the subvolume is in a state where its dentry can be evicted, the orphan cleanup process will fail, leaving a negative dentry that disrupts normal operations. This can be verified by checking the dentry state, which will show as 'broken' for the affected subvolume.

Remediation

The vulnerability has been addressed in the Linux kernel by ensuring that the orphan cleanup flag is set before a subvolume's dentry is cached, preventing the race condition that leads to the issue.