Linux Kernel XFS Filesystem Metadata Corruption Vulnerability During Inode Inactivation

A vulnerability in the XFS filesystem implementation of the Linux kernel can lead to metadata corruption. This issue arises when an inode with node-format extended attributes is inactivated. The function responsible for this operation, 'xfs_attr3_node_inactive()', invalidates all child leaf and node blocks. However, it does not remove the corresponding entries from the parent node blocks. This creates a risk because if a log shutdown occurs after the child block cancellations have been committed, but before the attribute bitmap truncation is completed, the recovery process can replay the attribute bitmap intact. This replay can lead to a verification failure, as it may attempt to read unreplayed root or child blocks, which can trigger a metadata corruption error.

Impact

The vulnerability can cause a metadata corruption error, leading to a filesystem integrity issue that requires running a repair utility to fix.

Reproduction

To reproduce this vulnerability, an inode with node-format extended attributes must be inactivated. During this process, ensure that a log shutdown occurs after the child leaf and node block cancellations have been committed, but before the attribute bitmap truncation is completed. This sequence will create stale pointers that, upon recovery, can lead to a metadata verification failure.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version available in the Linux kernel stable tree.