APPLIED: [SRU][J][PATCH 0/2] CVE-2024-47691 and CVE-2024-53218
Stefan Bader
stefan.bader at canonical.com
Fri Oct 31 10:27:58 UTC 2025
On 27/10/2025 22:19, Massimiliano Pellizzer wrote:
> https://ubuntu.com/security/CVE-2024-47691
> https://ubuntu.com/security/CVE-2024-53218
>
> [ Impact ]
>
> CVE-2024-47691
>
> f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()
>
> The root cause is below race condition, it may cause use-after-free
> issue in sbi->gc_th pointer.
>
> - remount
> - f2fs_remount
> - f2fs_stop_gc_thread
> - kfree(gc_th)
> - f2fs_ioc_shutdown
> - f2fs_do_shutdown
> - f2fs_stop_gc_thread
> - kthread_stop(gc_th->f2fs_gc_task)
> : sbi->gc_thread = NULL;
>
> We will call f2fs_do_shutdown() in two paths:
> - for f2fs_ioc_shutdown() path, we should grab sb->s_umount semaphore
> for fixing.
> - for f2fs_shutdown() path, it's safe since caller has already grabbed
> sb->s_umount semaphore.
>
> CVE-2024-53218
>
> f2fs: fix race in concurrent f2fs_stop_gc_thread
>
> The root cause is a race condition in f2fs_stop_gc_thread() called from
> different f2fs shutdown paths:
>
> [CPU0] [CPU1]
> ---------------------- -----------------------
> f2fs_stop_gc_thread f2fs_stop_gc_thread
> gc_th = sbi->gc_thread
> gc_th = sbi->gc_thread
> kfree(gc_th)
> sbi->gc_thread = NULL
> < gc_th != NULL >
> kthread_stop(gc_th->f2fs_gc_task) //UAF
>
> The commit c7f114d864ac ("f2fs: fix to avoid use-after-free in
> f2fs_stop_gc_thread()") attempted to fix this issue by using a read
> semaphore to prevent races between shutdown and remount threads, but
> it fails to prevent all race conditions.
>
> Fix it by converting to write lock of s_umount in f2fs_do_shutdown().
>
> [ Fix ]
>
> Backport from upstream the fix commits:
> - c7f114d864ac f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()
> - 7b0033dbc483 f2fs: fix race in concurrent f2fs_stop_gc_thread
>
> [ Test Plan ]
>
> Compile and boot tested.
>
> Stress tested a f2fs partition:
> ```
> $ sudo parted -s /dev/vdb mklabel gpt
> $ sudo parted -s /dev/vdb mkpart primary 0% 100%
> $ sudo mkfs.f2fs -l test /dev/vdb1
> $ sudo mkdir /mnt/test
> $ sudo mount -t f2fs /dev/vdb1 /mnt/test/
> $ cd /mnt/test/
> $ sudo stress-ng --class filesystem --sequential 4 --timeout 15s --aggressive --metrics-brief
> ```
>
> Tested issuing multiple shudown ioctls in parallel:
> ```
> for i in $(seq 1 10); do
> f2fs_io shutdown 0 /mnt/temp/test.txt &
> done
> ```
>
> [ Regression Potential ]
>
> The fix serialized concurrent shutdowns and remount paths by taking
> sbi->s_umount for write around GC thread teardown, ensuring only one
> caller can observe amd operate on sbi->gc_thread at a time.
> An issue with this patch could change how long remount and shutdown
> take, making certain fs commands block longer or timeout. Under heavy
> load an issue may also reveal lock-order bugs.
>
> Chao Yu (1):
> f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()
>
> Long Li (1):
> f2fs: fix race in concurrent f2fs_stop_gc_thread
>
> fs/f2fs/file.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
Applied to jammy:linux/master-next. Thanks.
-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251031/265e120a/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251031/265e120a/attachment-0001.sig>
More information about the kernel-team
mailing list