CVE-2024-49867: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: wait for fixup workers before stopping cleaner kthread during umount During unmount, at close_ctree(), we have the following steps in this order: 1) Park the cleaner kthread - this doesn't destroy the kthread, it basically halts its execution (wake ups against it work but do nothing); 2) We stop the cleaner kthread - this results in freeing the respective struct task_struct; 3) We call btrfs_stop_all_workers() which waits for any jobs running in all the work queues and then free the work queues. Syzbot reported a case where a fixup worker resulted in a crash when doing a delayed iput on its inode while attempting to wake up the cleaner at btrfs_add_delayed_iput(), because the task_struct of the cleaner kthread was already freed. This can happen during unmount because we don't wait for any fixup workers still running before we call kthread_stop() against the cleaner kthread, which stops and free all its resources. Fix this by waiting for any fixup workers at close_ctree() before we call kthread_stop() against the cleaner and run pending delayed iputs. The stack traces reported by syzbot were the following: BUG: KASAN: slab-use-after-free in __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065 Read of size 8 at addr ffff8880272a8a18 by task kworker/u8:3/52 CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.12.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: btrfs-fixup btrfs_work_helper Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline] try_to_wake_up+0xb0/0x1480 kernel/sched/core.c:4154 btrfs_writepage_fixup_worker+0xc16/0xdf0 fs/btrfs/inode.c:2842 btrfs_work_helper+0x390/0xc50 fs/btrfs/async-thread.c:314 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 2: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:247 [inline] slab_post_alloc_hook mm/slub.c:4086 [inline] slab_alloc_node mm/slub.c:4135 [inline] kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4187 alloc_task_struct_node kernel/fork.c:180 [inline] dup_task_struct+0x57/0x8c0 kernel/fork.c:1107 copy_process+0x5d1/0x3d50 kernel/fork.c:2206 kernel_clone+0x223/0x880 kernel/fork.c:2787 kernel_thread+0x1bc/0x240 kernel/fork.c:2849 create_kthread kernel/kthread.c:412 [inline] kthreadd+0x60d/0x810 kernel/kthread.c:765 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 61: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_h ---truncated---
AI Analysis
Technical Summary
CVE-2024-49867 is a vulnerability identified in the Linux kernel's Btrfs (B-tree file system) implementation, specifically related to the handling of the cleaner kernel thread during the unmount process. The issue arises in the close_ctree() function, which manages the shutdown sequence of the cleaner kthread responsible for maintaining Btrfs metadata consistency. The vulnerability occurs because the kernel does not properly wait for all fixup worker threads to complete before stopping and freeing the cleaner kthread's task_struct. This leads to a use-after-free condition when a delayed inode put operation (delayed iput) attempts to wake the cleaner thread after its resources have been freed. The flaw was discovered through syzbot fuzz testing, which reported kernel crashes with KASAN (Kernel Address Sanitizer) slab-use-after-free errors. The stack traces indicate that the issue manifests as a race condition between the fixup workers and the cleaner kthread during unmount, causing memory corruption and kernel crashes. The fix involves modifying close_ctree() to wait for all fixup workers to finish before stopping the cleaner kthread, ensuring that no delayed iputs attempt to access freed memory. This vulnerability affects Linux kernel versions around 6.12.0-rc1 and potentially other versions using the affected Btrfs code paths. No CVSS score has been assigned yet, and no known exploits are reported in the wild at this time.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux with Btrfs file systems, which are used in various enterprise and cloud environments. Exploitation could lead to kernel crashes (denial of service) and potential memory corruption, which might be leveraged for privilege escalation or arbitrary code execution in more complex attack scenarios, although no such exploits are currently known. The impact includes system instability, potential data loss or corruption during unmount operations, and disruption of critical services relying on Btrfs. Organizations using Linux-based servers, especially those employing Btrfs for storage management, could experience outages or degraded performance. Cloud providers and data centers in Europe that rely on Linux kernels with Btrfs support may face operational risks if unpatched. Additionally, embedded systems or network appliances running vulnerable kernels could be affected, impacting infrastructure availability. The vulnerability's exploitation requires local code execution or kernel-level access, limiting remote exploitation but still posing a significant risk in multi-tenant or shared environments where untrusted code might run.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-49867 as soon as it becomes available. Until patches are applied, administrators should consider the following mitigations: 1) Avoid unmounting Btrfs file systems in environments where untrusted or potentially malicious code runs, reducing the risk of triggering the race condition. 2) Monitor system logs for kernel crashes or KASAN reports related to Btrfs cleaner kthread activity to detect potential exploitation attempts. 3) Implement strict access controls and isolation mechanisms (e.g., containers, virtual machines) to limit the ability of unprivileged users to execute code that could trigger the vulnerability. 4) For critical systems, consider using alternative file systems if feasible, or disable Btrfs if not required. 5) Engage with Linux distribution vendors and apply security updates promptly, leveraging automated patch management tools to reduce exposure time. 6) Conduct thorough testing of kernel updates in staging environments to ensure stability before deployment in production.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland, Poland, Italy
CVE-2024-49867: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: wait for fixup workers before stopping cleaner kthread during umount During unmount, at close_ctree(), we have the following steps in this order: 1) Park the cleaner kthread - this doesn't destroy the kthread, it basically halts its execution (wake ups against it work but do nothing); 2) We stop the cleaner kthread - this results in freeing the respective struct task_struct; 3) We call btrfs_stop_all_workers() which waits for any jobs running in all the work queues and then free the work queues. Syzbot reported a case where a fixup worker resulted in a crash when doing a delayed iput on its inode while attempting to wake up the cleaner at btrfs_add_delayed_iput(), because the task_struct of the cleaner kthread was already freed. This can happen during unmount because we don't wait for any fixup workers still running before we call kthread_stop() against the cleaner kthread, which stops and free all its resources. Fix this by waiting for any fixup workers at close_ctree() before we call kthread_stop() against the cleaner and run pending delayed iputs. The stack traces reported by syzbot were the following: BUG: KASAN: slab-use-after-free in __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065 Read of size 8 at addr ffff8880272a8a18 by task kworker/u8:3/52 CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.12.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: btrfs-fixup btrfs_work_helper Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline] try_to_wake_up+0xb0/0x1480 kernel/sched/core.c:4154 btrfs_writepage_fixup_worker+0xc16/0xdf0 fs/btrfs/inode.c:2842 btrfs_work_helper+0x390/0xc50 fs/btrfs/async-thread.c:314 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 2: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:247 [inline] slab_post_alloc_hook mm/slub.c:4086 [inline] slab_alloc_node mm/slub.c:4135 [inline] kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4187 alloc_task_struct_node kernel/fork.c:180 [inline] dup_task_struct+0x57/0x8c0 kernel/fork.c:1107 copy_process+0x5d1/0x3d50 kernel/fork.c:2206 kernel_clone+0x223/0x880 kernel/fork.c:2787 kernel_thread+0x1bc/0x240 kernel/fork.c:2849 create_kthread kernel/kthread.c:412 [inline] kthreadd+0x60d/0x810 kernel/kthread.c:765 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 61: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_h ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-49867 is a vulnerability identified in the Linux kernel's Btrfs (B-tree file system) implementation, specifically related to the handling of the cleaner kernel thread during the unmount process. The issue arises in the close_ctree() function, which manages the shutdown sequence of the cleaner kthread responsible for maintaining Btrfs metadata consistency. The vulnerability occurs because the kernel does not properly wait for all fixup worker threads to complete before stopping and freeing the cleaner kthread's task_struct. This leads to a use-after-free condition when a delayed inode put operation (delayed iput) attempts to wake the cleaner thread after its resources have been freed. The flaw was discovered through syzbot fuzz testing, which reported kernel crashes with KASAN (Kernel Address Sanitizer) slab-use-after-free errors. The stack traces indicate that the issue manifests as a race condition between the fixup workers and the cleaner kthread during unmount, causing memory corruption and kernel crashes. The fix involves modifying close_ctree() to wait for all fixup workers to finish before stopping the cleaner kthread, ensuring that no delayed iputs attempt to access freed memory. This vulnerability affects Linux kernel versions around 6.12.0-rc1 and potentially other versions using the affected Btrfs code paths. No CVSS score has been assigned yet, and no known exploits are reported in the wild at this time.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux with Btrfs file systems, which are used in various enterprise and cloud environments. Exploitation could lead to kernel crashes (denial of service) and potential memory corruption, which might be leveraged for privilege escalation or arbitrary code execution in more complex attack scenarios, although no such exploits are currently known. The impact includes system instability, potential data loss or corruption during unmount operations, and disruption of critical services relying on Btrfs. Organizations using Linux-based servers, especially those employing Btrfs for storage management, could experience outages or degraded performance. Cloud providers and data centers in Europe that rely on Linux kernels with Btrfs support may face operational risks if unpatched. Additionally, embedded systems or network appliances running vulnerable kernels could be affected, impacting infrastructure availability. The vulnerability's exploitation requires local code execution or kernel-level access, limiting remote exploitation but still posing a significant risk in multi-tenant or shared environments where untrusted code might run.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch for CVE-2024-49867 as soon as it becomes available. Until patches are applied, administrators should consider the following mitigations: 1) Avoid unmounting Btrfs file systems in environments where untrusted or potentially malicious code runs, reducing the risk of triggering the race condition. 2) Monitor system logs for kernel crashes or KASAN reports related to Btrfs cleaner kthread activity to detect potential exploitation attempts. 3) Implement strict access controls and isolation mechanisms (e.g., containers, virtual machines) to limit the ability of unprivileged users to execute code that could trigger the vulnerability. 4) For critical systems, consider using alternative file systems if feasible, or disable Btrfs if not required. 5) Engage with Linux distribution vendors and apply security updates promptly, leveraging automated patch management tools to reduce exposure time. 6) Conduct thorough testing of kernel updates in staging environments to ensure stability before deployment in production.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T12:17:06.018Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe080e
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 8:55:41 PM
Last updated: 7/30/2025, 2:16:29 AM
Views: 11
Related Threats
CVE-2025-8988: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-8987: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-8986: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-31987: CWE-405 Asymmetric Resource Consumption in HCL Software Connections Docs
MediumCVE-2025-8985: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.