CVE-2024-53218

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix race in concurrent f2fs_stop_gc_thread<br /> <br /> In my test case, concurrent calls to f2fs shutdown report the following<br /> stack trace:<br /> <br /> Oops: general protection fault, probably for non-canonical address 0xc6cfff63bb5513fc: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 0 UID: 0 PID: 678 Comm: f2fs_rep_shutdo Not tainted 6.12.0-rc5-next-20241029-g6fb2fa9805c5-dirty #85<br /> Call Trace:<br /> <br /> ? show_regs+0x8b/0xa0<br /> ? __die_body+0x26/0xa0<br /> ? die_addr+0x54/0x90<br /> ? exc_general_protection+0x24b/0x5c0<br /> ? asm_exc_general_protection+0x26/0x30<br /> ? kthread_stop+0x46/0x390<br /> f2fs_stop_gc_thread+0x6c/0x110<br /> f2fs_do_shutdown+0x309/0x3a0<br /> f2fs_ioc_shutdown+0x150/0x1c0<br /> __f2fs_ioctl+0xffd/0x2ac0<br /> f2fs_ioctl+0x76/0xe0<br /> vfs_ioctl+0x23/0x60<br /> __x64_sys_ioctl+0xce/0xf0<br /> x64_sys_call+0x2b1b/0x4540<br /> do_syscall_64+0xa7/0x240<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> The root cause is a race condition in f2fs_stop_gc_thread() called from<br /> different f2fs shutdown paths:<br /> <br /> [CPU0] [CPU1]<br /> ---------------------- -----------------------<br /> f2fs_stop_gc_thread f2fs_stop_gc_thread<br /> gc_th = sbi-&gt;gc_thread<br /> gc_th = sbi-&gt;gc_thread<br /> kfree(gc_th)<br /> sbi-&gt;gc_thread = NULL<br /> <br /> kthread_stop(gc_th-&gt;f2fs_gc_task) //UAF<br /> <br /> The commit c7f114d864ac ("f2fs: fix to avoid use-after-free in<br /> f2fs_stop_gc_thread()") attempted to fix this issue by using a read<br /> semaphore to prevent races between shutdown and remount threads, but<br /> it fails to prevent all race conditions.<br /> <br /> Fix it by converting to write lock of s_umount in f2fs_do_shutdown().