Linux Kernel Btrfs Drop Progress and Level Validation Vulnerability

A vulnerability in the Linux kernel's Btrfs file system has been addressed, which involved improper validation of root item metadata. This issue could lead to a kernel panic (BUG_ON) during the relocation recovery process at mount time. The vulnerability arises when a root item's drop_progress is non-zero, indicating an interrupted snapshot operation, while its drop_level is zero. This inconsistency can be exploited by corrupting Btrfs metadata at runtime, creating a scenario that triggers the BUG_ON condition. The problem was reproducible on Linux 7.0.0-rc2-next-20260310 using a dynamic metadata fuzzing tool.

Impact

The vulnerability could cause a kernel panic by triggering a BUG_ON condition, which is a safeguard against impossible states in the Btrfs metadata management.

Reproduction

The vulnerability can be reproduced by using a metadata fuzzing tool that corrupts Btrfs metadata while the system is running. This corruption can create an invalid state where the drop_progress of a root item is non-zero, but the drop_level is zero. When the system attempts to recover Btrfs relocation during the mount process, this inconsistency will trigger a kernel BUG, causing a crash.

Remediation

The vulnerability has been fixed by adding proper validation of the root item metadata in the Btrfs tree-checker. This validation ensures that if the drop_progress.objectid is non-zero, the drop_level must also be non-zero. The fix is included in the Linux kernel commit 295f8075d00442d71dc9ccae421ace1c0d2d9224.