CVE-2024-49867
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
21/10/2024
Last modified:
08/11/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
btrfs: wait for fixup workers before stopping cleaner kthread during umount<br />
<br />
During unmount, at close_ctree(), we have the following steps in this order:<br />
<br />
1) Park the cleaner kthread - this doesn&#39;t destroy the kthread, it basically<br />
halts its execution (wake ups against it work but do nothing);<br />
<br />
2) We stop the cleaner kthread - this results in freeing the respective<br />
struct task_struct;<br />
<br />
3) We call btrfs_stop_all_workers() which waits for any jobs running in all<br />
the work queues and then free the work queues.<br />
<br />
Syzbot reported a case where a fixup worker resulted in a crash when doing<br />
a delayed iput on its inode while attempting to wake up the cleaner at<br />
btrfs_add_delayed_iput(), because the task_struct of the cleaner kthread<br />
was already freed. This can happen during unmount because we don&#39;t wait<br />
for any fixup workers still running before we call kthread_stop() against<br />
the cleaner kthread, which stops and free all its resources.<br />
<br />
Fix this by waiting for any fixup workers at close_ctree() before we call<br />
kthread_stop() against the cleaner and run pending delayed iputs.<br />
<br />
The stack traces reported by syzbot were the following:<br />
<br />
BUG: KASAN: slab-use-after-free in __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065<br />
Read of size 8 at addr ffff8880272a8a18 by task kworker/u8:3/52<br />
<br />
CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.12.0-rc1-syzkaller #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024<br />
Workqueue: btrfs-fixup btrfs_work_helper<br />
Call Trace:<br />
<br />
__dump_stack lib/dump_stack.c:94 [inline]<br />
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120<br />
print_address_description mm/kasan/report.c:377 [inline]<br />
print_report+0x169/0x550 mm/kasan/report.c:488<br />
kasan_report+0x143/0x180 mm/kasan/report.c:601<br />
__lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065<br />
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825<br />
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]<br />
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162<br />
class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]<br />
try_to_wake_up+0xb0/0x1480 kernel/sched/core.c:4154<br />
btrfs_writepage_fixup_worker+0xc16/0xdf0 fs/btrfs/inode.c:2842<br />
btrfs_work_helper+0x390/0xc50 fs/btrfs/async-thread.c:314<br />
process_one_work kernel/workqueue.c:3229 [inline]<br />
process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310<br />
worker_thread+0x870/0xd30 kernel/workqueue.c:3391<br />
kthread+0x2f0/0x390 kernel/kthread.c:389<br />
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147<br />
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244<br />
<br />
<br />
Allocated by task 2:<br />
kasan_save_stack mm/kasan/common.c:47 [inline]<br />
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br />
unpoison_slab_object mm/kasan/common.c:319 [inline]<br />
__kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345<br />
kasan_slab_alloc include/linux/kasan.h:247 [inline]<br />
slab_post_alloc_hook mm/slub.c:4086 [inline]<br />
slab_alloc_node mm/slub.c:4135 [inline]<br />
kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4187<br />
alloc_task_struct_node kernel/fork.c:180 [inline]<br />
dup_task_struct+0x57/0x8c0 kernel/fork.c:1107<br />
copy_process+0x5d1/0x3d50 kernel/fork.c:2206<br />
kernel_clone+0x223/0x880 kernel/fork.c:2787<br />
kernel_thread+0x1bc/0x240 kernel/fork.c:2849<br />
create_kthread kernel/kthread.c:412 [inline]<br />
kthreadd+0x60d/0x810 kernel/kthread.c:765<br />
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147<br />
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244<br />
<br />
Freed by task 61:<br />
kasan_save_stack mm/kasan/common.c:47 [inline]<br />
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68<br />
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579<br />
poison_slab_object mm/kasan/common.c:247 [inline]<br />
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264<br />
kasan_slab_free include/linux/kasan.h:230 [inline]<br />
slab_free_h<br />
---truncated---
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.10.227 (excluding) | |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.168 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.113 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.55 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.10.14 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.11 (including) | 6.11.3 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/41fd1e94066a815a7ab0a7025359e9b40e4b3576
- https://git.kernel.org/stable/c/4c98fe0dfa2ae83c4631699695506d8941db4bfe
- https://git.kernel.org/stable/c/65d11eb276836d49003a8060cf31fa2284ad1047
- https://git.kernel.org/stable/c/70b60c8d9b42763d6629e44f448aa5d8ae477d61
- https://git.kernel.org/stable/c/9da40aea63f8769f28afb91aea0fac4cf6fbbb65
- https://git.kernel.org/stable/c/a71349b692ab34ea197949e13e3cc42570fe73d9
- https://git.kernel.org/stable/c/bf0de0f9a0544c11f96f93206da04ab87dcea1f4
- https://git.kernel.org/stable/c/cd686dfff63f27d712877aef5b962fbf6b8bc264
- https://git.kernel.org/stable/c/ed87190e9d9c80aad220fb6b0b03a84d22e2c95b