ACK: [SRU][J][PATCH 0/2] CVE-2024-47691 and CVE-2024-53218

Tim Whisonant tim.whisonant at canonical.com
Tue Oct 28 00:51:18 UTC 2025 

On Mon, Oct 27, 2025 at 10:19:53PM +0100, Massimiliano Pellizzer wrote:
> https://ubuntu.com/security/CVE-2024-47691
> https://ubuntu.com/security/CVE-2024-53218
> 
> [ Impact ]
> 
> CVE-2024-47691
>  
>   f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()
>    
>   The root cause is below race condition, it may cause use-after-free
>   issue in sbi->gc_th pointer.
> 
>   - remount
>    - f2fs_remount
>     - f2fs_stop_gc_thread
>      - kfree(gc_th)
>   				- f2fs_ioc_shutdown
> 				 - f2fs_do_shutdown
> 				  - f2fs_stop_gc_thread
> 				   - kthread_stop(gc_th->f2fs_gc_task)
>      : sbi->gc_thread = NULL;
> 
>   We will call f2fs_do_shutdown() in two paths:
>   - for f2fs_ioc_shutdown() path, we should grab sb->s_umount semaphore
>     for fixing.
>   - for f2fs_shutdown() path, it's safe since caller has already grabbed
>     sb->s_umount semaphore.
> 
> CVE-2024-53218
>   
>   f2fs: fix race in concurrent f2fs_stop_gc_thread
> 
>   The root cause is a race condition in f2fs_stop_gc_thread() called from
>   different f2fs shutdown paths:
> 
>     [CPU0]                       [CPU1]
>     ----------------------       -----------------------
>     f2fs_stop_gc_thread          f2fs_stop_gc_thread
>                                    gc_th = sbi->gc_thread
>       gc_th = sbi->gc_thread
>       kfree(gc_th)
>       sbi->gc_thread = NULL
>                                    < gc_th != NULL >
>                                    kthread_stop(gc_th->f2fs_gc_task) //UAF
> 
>   The commit c7f114d864ac ("f2fs: fix to avoid use-after-free in
>   f2fs_stop_gc_thread()") attempted to fix this issue by using a read
>   semaphore to prevent races between shutdown and remount threads, but
>   it fails to prevent all race conditions.
> 
>   Fix it by converting to write lock of s_umount in f2fs_do_shutdown().
> 
> [ Fix ]
> 
> Backport from upstream the fix commits:
> - c7f114d864ac f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()
> - 7b0033dbc483 f2fs: fix race in concurrent f2fs_stop_gc_thread
> 
> [ Test Plan ]
> 
> Compile and boot tested.
> 
> Stress tested a f2fs partition:
> ```
> $ sudo parted -s /dev/vdb mklabel gpt
> $ sudo parted -s /dev/vdb mkpart primary 0% 100%
> $ sudo mkfs.f2fs -l test /dev/vdb1
> $ sudo mkdir /mnt/test
> $ sudo mount -t f2fs /dev/vdb1 /mnt/test/
> $ cd /mnt/test/
> $ sudo stress-ng --class filesystem --sequential 4 --timeout 15s --aggressive --metrics-brief
> ```
> 
> Tested issuing multiple shudown ioctls in parallel:
> ```
> for i in $(seq 1 10); do
> 	f2fs_io shutdown 0 /mnt/temp/test.txt &
> done
> ```
> 
> [ Regression Potential ]
> 
> The fix serialized concurrent shutdowns and remount paths by taking
> sbi->s_umount for write around GC thread teardown, ensuring only one
> caller can observe amd operate on sbi->gc_thread at a time.
> An issue with this patch could change how long remount and shutdown
> take, making certain fs commands block longer or timeout. Under heavy
> load an issue may also reveal lock-order bugs.
> 
> Chao Yu (1):
>   f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()
> 
> Long Li (1):
>   f2fs: fix race in concurrent f2fs_stop_gc_thread
> 
>  fs/f2fs/file.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> -- 
> 2.51.0
> 

Acked-by: Tim Whisonant <tim.whisonant at canonical.com>

More information about the kernel-team mailing list