Linux Kernel Btrfs Qgroup Ioctl Transaction Space Reservation Vulnerability

A vulnerability exists in the Linux kernel's Btrfs file system related to quota group (qgroup) ioctls. The issue arises because these ioctls do not properly reserve space for transaction items, which can lead to transaction aborts. This problem is particularly evident when the quota root approaches a 'no space' condition, forcing critical metadata updates to rely on a global reserve. The vulnerability can be reproduced by creating a script that fills a Btrfs file system with quota group entries, ultimately causing a transaction to abort due to insufficient space.

Impact

Exploitation of this vulnerability can cause Btrfs transactions to abort, leading to potential disruptions in file system operations that rely on these transactions.

Reproduction

The vulnerability can be reproduced by using a script that creates a Btrfs file system on a device limited to 1GB. After mounting the file system, the script allocates 800MB of data, enables quota management, and then creates 400,000 quota group entries. This process fills the quota system, causing the file system to run out of space for transaction items, particularly for delayed references, which are crucial for updating the quota tree. The transaction abort can be observed in the system logs, indicating a failure to process these delayed references due to the lack of available space.

Remediation

The vulnerability has been addressed in a patch that modifies the qgroup ioctls to use a transaction start method that reserves the necessary space for delayed references. This patch is available in the Linux kernel stable tree.