CVE-2024-57896: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount During the unmount path, at close_ctree(), we first stop the cleaner kthread, using kthread_stop() which frees the associated task_struct, and then stop and destroy all the work queues. However after we stopped the cleaner we may still have a worker from the delalloc_workers queue running inode.c:submit_compressed_extents(), which calls btrfs_add_delayed_iput(), which in turn tries to wake up the cleaner kthread - which was already destroyed before, resulting in a use-after-free on the task_struct. Syzbot reported this with the following stack traces: BUG: KASAN: slab-use-after-free in __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089 Read of size 8 at addr ffff8880259d2818 by task kworker/u8:3/52 CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.13.0-rc1-syzkaller-00002-gcdd30ebb1b9f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: btrfs-delalloc btrfs_work_helper Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline] try_to_wake_up+0xc2/0x1470 kernel/sched/core.c:4205 submit_compressed_extents+0xdf/0x16e0 fs/btrfs/inode.c:1615 run_ordered_work fs/btrfs/async-thread.c:288 [inline] btrfs_work_helper+0x96f/0xc40 fs/btrfs/async-thread.c:324 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 2: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4104 [inline] slab_alloc_node mm/slub.c:4153 [inline] kmem_cache_alloc_node_noprof+0x1d9/0x380 mm/slub.c:4205 alloc_task_struct_node kernel/fork.c:180 [inline] dup_task_struct+0x57/0x8c0 kernel/fork.c:1113 copy_process+0x5d1/0x3d50 kernel/fork.c:2225 kernel_clone+0x223/0x870 kernel/fork.c:2807 kernel_thread+0x1bc/0x240 kernel/fork.c:2869 create_kthread kernel/kthread.c:412 [inline] kthreadd+0x60d/0x810 kernel/kthread.c:767 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 24: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2338 [inline] slab_free mm/slub.c:4598 [inline] kmem_cache_free+0x195/0x410 mm/slub.c:4700 put_task_struct include/linux/sched/task.h:144 [inline] delayed_put_task_struct+0x125/0x300 kernel/exit.c:227 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:943 ---truncated---
AI Analysis
Technical Summary
CVE-2024-57896 is a high-severity use-after-free vulnerability in the Linux kernel's Btrfs filesystem implementation. The flaw occurs during the unmount process in the close_ctree() function, where the cleaner kernel thread responsible for managing delayed allocation workers is stopped and its associated task_struct is freed before all queued workers have completed. Specifically, after the cleaner kthread is stopped via kthread_stop(), some delalloc_workers may still be executing submit_compressed_extents(), which calls btrfs_add_delayed_iput(). This function attempts to wake the cleaner kthread, which has already been destroyed, leading to a use-after-free condition on the task_struct. The vulnerability was identified by Syzbot through kernel address sanitizer (KASAN) reports showing slab-use-after-free errors in kernel locking code. Exploitation could lead to kernel memory corruption, causing system instability, crashes, or potentially privilege escalation due to corrupted kernel data structures. The CVSS 3.1 score of 7.8 reflects high impact on confidentiality, integrity, and availability, with low attack complexity but requiring local privileges (local access with low privileges). The vulnerability affects Linux kernel versions prior to the patch and is related to CWE-416 (Use After Free). No known exploits are reported in the wild yet, but the flaw's nature makes it a significant risk for systems using Btrfs, especially those performing frequent unmount operations. The detailed kernel stack traces confirm the use-after-free triggered during workqueue processing and task_struct lifecycle management.
Potential Impact
For European organizations, this vulnerability poses a substantial risk particularly to servers and systems running Linux with Btrfs filesystems. Btrfs is increasingly used in enterprise environments for its advanced features like snapshots and checksums. Exploitation could allow attackers with local access to cause denial of service through kernel crashes or potentially escalate privileges to gain unauthorized control over affected systems. This could lead to data breaches, disruption of critical services, and compromise of sensitive information. Organizations relying on Linux-based infrastructure for cloud services, data centers, or embedded devices could face operational interruptions and increased incident response costs. The vulnerability's requirement for local access limits remote exploitation but insider threats or compromised user accounts could leverage this flaw. Given the high confidentiality, integrity, and availability impact, European entities in finance, healthcare, government, and critical infrastructure sectors should prioritize remediation to prevent exploitation and maintain compliance with data protection regulations such as GDPR.
Mitigation Recommendations
1. Immediate patching: Apply the latest Linux kernel updates that address CVE-2024-57896 as soon as they become available from trusted Linux distributions or kernel maintainers. 2. Kernel version management: Maintain an inventory of Linux kernel versions in use and prioritize upgrades on systems utilizing Btrfs filesystems. 3. Limit local access: Restrict local user privileges and access to systems running vulnerable kernels to trusted personnel only. Implement strict access controls and monitoring to detect suspicious activities. 4. Use alternative filesystems: Where feasible, consider using more mature and less vulnerable filesystems if Btrfs features are not essential. 5. Monitoring and detection: Deploy kernel integrity monitoring and anomaly detection tools to identify crashes or unusual kernel behavior indicative of exploitation attempts. 6. Harden workqueue and kernel thread management: For organizations developing custom kernels or patches, ensure proper synchronization and lifecycle management of kernel threads and workqueues to avoid similar use-after-free conditions. 7. Incident response preparedness: Develop and test incident response plans to quickly address potential exploitation scenarios involving kernel vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-57896: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount During the unmount path, at close_ctree(), we first stop the cleaner kthread, using kthread_stop() which frees the associated task_struct, and then stop and destroy all the work queues. However after we stopped the cleaner we may still have a worker from the delalloc_workers queue running inode.c:submit_compressed_extents(), which calls btrfs_add_delayed_iput(), which in turn tries to wake up the cleaner kthread - which was already destroyed before, resulting in a use-after-free on the task_struct. Syzbot reported this with the following stack traces: BUG: KASAN: slab-use-after-free in __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089 Read of size 8 at addr ffff8880259d2818 by task kworker/u8:3/52 CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.13.0-rc1-syzkaller-00002-gcdd30ebb1b9f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: btrfs-delalloc btrfs_work_helper Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline] try_to_wake_up+0xc2/0x1470 kernel/sched/core.c:4205 submit_compressed_extents+0xdf/0x16e0 fs/btrfs/inode.c:1615 run_ordered_work fs/btrfs/async-thread.c:288 [inline] btrfs_work_helper+0x96f/0xc40 fs/btrfs/async-thread.c:324 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 2: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4104 [inline] slab_alloc_node mm/slub.c:4153 [inline] kmem_cache_alloc_node_noprof+0x1d9/0x380 mm/slub.c:4205 alloc_task_struct_node kernel/fork.c:180 [inline] dup_task_struct+0x57/0x8c0 kernel/fork.c:1113 copy_process+0x5d1/0x3d50 kernel/fork.c:2225 kernel_clone+0x223/0x870 kernel/fork.c:2807 kernel_thread+0x1bc/0x240 kernel/fork.c:2869 create_kthread kernel/kthread.c:412 [inline] kthreadd+0x60d/0x810 kernel/kthread.c:767 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 24: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2338 [inline] slab_free mm/slub.c:4598 [inline] kmem_cache_free+0x195/0x410 mm/slub.c:4700 put_task_struct include/linux/sched/task.h:144 [inline] delayed_put_task_struct+0x125/0x300 kernel/exit.c:227 rcu_do_batch kernel/rcu/tree.c:2567 [inline] rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:943 ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-57896 is a high-severity use-after-free vulnerability in the Linux kernel's Btrfs filesystem implementation. The flaw occurs during the unmount process in the close_ctree() function, where the cleaner kernel thread responsible for managing delayed allocation workers is stopped and its associated task_struct is freed before all queued workers have completed. Specifically, after the cleaner kthread is stopped via kthread_stop(), some delalloc_workers may still be executing submit_compressed_extents(), which calls btrfs_add_delayed_iput(). This function attempts to wake the cleaner kthread, which has already been destroyed, leading to a use-after-free condition on the task_struct. The vulnerability was identified by Syzbot through kernel address sanitizer (KASAN) reports showing slab-use-after-free errors in kernel locking code. Exploitation could lead to kernel memory corruption, causing system instability, crashes, or potentially privilege escalation due to corrupted kernel data structures. The CVSS 3.1 score of 7.8 reflects high impact on confidentiality, integrity, and availability, with low attack complexity but requiring local privileges (local access with low privileges). The vulnerability affects Linux kernel versions prior to the patch and is related to CWE-416 (Use After Free). No known exploits are reported in the wild yet, but the flaw's nature makes it a significant risk for systems using Btrfs, especially those performing frequent unmount operations. The detailed kernel stack traces confirm the use-after-free triggered during workqueue processing and task_struct lifecycle management.
Potential Impact
For European organizations, this vulnerability poses a substantial risk particularly to servers and systems running Linux with Btrfs filesystems. Btrfs is increasingly used in enterprise environments for its advanced features like snapshots and checksums. Exploitation could allow attackers with local access to cause denial of service through kernel crashes or potentially escalate privileges to gain unauthorized control over affected systems. This could lead to data breaches, disruption of critical services, and compromise of sensitive information. Organizations relying on Linux-based infrastructure for cloud services, data centers, or embedded devices could face operational interruptions and increased incident response costs. The vulnerability's requirement for local access limits remote exploitation but insider threats or compromised user accounts could leverage this flaw. Given the high confidentiality, integrity, and availability impact, European entities in finance, healthcare, government, and critical infrastructure sectors should prioritize remediation to prevent exploitation and maintain compliance with data protection regulations such as GDPR.
Mitigation Recommendations
1. Immediate patching: Apply the latest Linux kernel updates that address CVE-2024-57896 as soon as they become available from trusted Linux distributions or kernel maintainers. 2. Kernel version management: Maintain an inventory of Linux kernel versions in use and prioritize upgrades on systems utilizing Btrfs filesystems. 3. Limit local access: Restrict local user privileges and access to systems running vulnerable kernels to trusted personnel only. Implement strict access controls and monitoring to detect suspicious activities. 4. Use alternative filesystems: Where feasible, consider using more mature and less vulnerable filesystems if Btrfs features are not essential. 5. Monitoring and detection: Deploy kernel integrity monitoring and anomaly detection tools to identify crashes or unusual kernel behavior indicative of exploitation attempts. 6. Harden workqueue and kernel thread management: For organizations developing custom kernels or patches, ensure proper synchronization and lifecycle management of kernel threads and workqueues to avoid similar use-after-free conditions. 7. Incident response preparedness: Develop and test incident response plans to quickly address potential exploitation scenarios involving kernel vulnerabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-01-11T14:45:42.029Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9822c4522896dcbde9cc
Added to database: 5/21/2025, 9:08:50 AM
Last enriched: 7/2/2025, 10:28:27 PM
Last updated: 8/13/2025, 12:57:31 PM
Views: 15
Related Threats
CVE-2025-9000: Uncontrolled Search Path in Mechrevo Control Center GX V2
HighCVE-2025-8993: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-8992: Cross-Site Request Forgery in mtons mblog
MediumCVE-2025-8991: Business Logic Errors in linlinjava litemall
MediumCVE-2025-8990: SQL Injection in code-projects Online Medicine Guide
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.