Linux Kernel Btrfs Block Group Tree Dirty List Corruption Vulnerability

A vulnerability in the Linux kernel's Btrfs file system has been identified, related to improper handling of the block group tree's dirty list. When the EXTENT_TREE_V2 flag is active, the block group tree is incorrectly added to the switch_commits list, disrupting the normal dirty tracking process. This flaw can lead to a corruption of the dirty_list, causing Btrfs to mix up its commit and dirty tracking processes. The issue becomes evident when the CONFIG_DEBUG_LIST option is enabled, as it triggers a warning about the corrupted list state. The corruption can cause Btrfs to fail in locating root keys during transactions, ultimately leading to a transaction abort and marking the file system as corrupted.

Impact

This vulnerability causes a critical file system error in Btrfs, where the file system becomes corrupted and is forced into a read-only state. The corruption arises from the mishandling of the block group tree's dirty list, which, when combined with normal dirty tracking, leads to a failure in the file system's transaction management. As a result, Btrfs cannot find necessary root keys during operations, causing transactions to abort and the file system to report critical errors.

Reproduction

The vulnerability can be reproduced by enabling the EXTENT_TREE_V2 incompatibility flag in a Btrfs file system. Once this flag is set, any transaction that dirties a block group will trigger the vulnerability. The block group tree will be improperly added to the switch_commits list, causing a corruption in the dirty_list management. This can be observed by enabling the CONFIG_DEBUG_LIST option, which will reveal the list corruption through a warning about the invalid state of the list entries. Following this, a Btrfs transaction can be initiated, which will fail due to the corrupted state, demonstrating the impact of the vulnerability.

Remediation

Users can apply the latest patches from the Linux kernel stable tree to address this vulnerability. The patches are available in the Linux Git repository under the stable branch.