We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-47691

f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()



Description

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread() syzbot reports a f2fs bug as below: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_report+0xe8/0x550 mm/kasan/report.c:491 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline] __refcount_add include/linux/refcount.h:184 [inline] __refcount_inc include/linux/refcount.h:241 [inline] refcount_inc include/linux/refcount.h:258 [inline] get_task_struct include/linux/sched/task.h:118 [inline] kthread_stop+0xca/0x630 kernel/kthread.c:704 f2fs_stop_gc_thread+0x65/0xb0 fs/f2fs/gc.c:210 f2fs_do_shutdown+0x192/0x540 fs/f2fs/file.c:2283 f2fs_ioc_shutdown fs/f2fs/file.c:2325 [inline] __f2fs_ioctl+0x443a/0xbe60 fs/f2fs/file.c:4325 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The root cause is below race condition, it may cause use-after-free issue in sbi->gc_th pointer. - remount - f2fs_remount - f2fs_stop_gc_thread - kfree(gc_th) - f2fs_ioc_shutdown - f2fs_do_shutdown - f2fs_stop_gc_thread - kthread_stop(gc_th->f2fs_gc_task) : sbi->gc_thread = NULL; We will call f2fs_do_shutdown() in two paths: - for f2fs_ioc_shutdown() path, we should grab sb->s_umount semaphore for fixing. - for f2fs_shutdown() path, it's safe since caller has already grabbed sb->s_umount semaphore.

Reserved 2024-09-30 | Published 2024-10-21 | Updated 2025-05-04 | Assigner Linux

Product status

Default status
unaffected

7950e9ac638e84518fbdd5c930939ad46a1068c5 before fc18e655b62ac6bc9f12f5de0d749b4a3fe1e812
affected

7950e9ac638e84518fbdd5c930939ad46a1068c5 before 7c339dee7eb0f8e4cadc317c595f898ef04dae30
affected

7950e9ac638e84518fbdd5c930939ad46a1068c5 before d79343cd66343709e409d96b2abb139a0a55ce34
affected

7950e9ac638e84518fbdd5c930939ad46a1068c5 before c7f114d864ac91515bb07ac271e9824a20f5ed95
affected

Default status
affected

4.16
affected

Any version before 4.16
unaffected

6.6.54
unaffected

6.10.13
unaffected

6.11.2
unaffected

6.12
unaffected

References

git.kernel.org/...c/fc18e655b62ac6bc9f12f5de0d749b4a3fe1e812

git.kernel.org/...c/7c339dee7eb0f8e4cadc317c595f898ef04dae30

git.kernel.org/...c/d79343cd66343709e409d96b2abb139a0a55ce34

git.kernel.org/...c/c7f114d864ac91515bb07ac271e9824a20f5ed95

cve.org (CVE-2024-47691)

nvd.nist.gov (CVE-2024-47691)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2024-47691

Support options

Helpdesk Chat, Email, Knowledgebase