{"vulnerability": "CVE-2024-57896", "sightings": [{"uuid": "55031141-82e9-467c-838d-e5fce1e1536b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-57896", "type": "seen", "source": "https://bsky.app/profile/cve-notifications.bsky.social/post/3lfrtz6moib2c", "content": "", "creation_timestamp": "2025-01-15T13:17:03.449451Z"}, {"uuid": "567f28c7-eb77-420c-8c57-9cea97221323", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-57896", "type": "seen", "source": "https://vulnerability.circl.lu/bundle/816dcc8e-f25a-4895-9b59-1bbd9caeccb8", "content": "", "creation_timestamp": "2025-12-03T14:14:49.267740Z"}, {"uuid": "da4bde6a-4e29-43ca-bad6-bcd2d528eca9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-57896", "type": "seen", "source": "https://t.me/cvedetector/15452", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-57896 - Vulnerability: Intel Linux Kernels btrfs Delalloc Workers Use-After-Free\", \n  \"Content\": \"CVE ID : CVE-2024-57896 \nPublished : Jan. 15, 2025, 1:15 p.m. | 36\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \nbtrfs: flush delalloc workers queue before stopping cleaner kthread during unmount  \n  \nDuring the unmount path, at close_ctree(), we first stop the cleaner  \nkthread, using kthread_stop() which frees the associated task_struct, and  \nthen stop and destroy all the work queues. However after we stopped the  \ncleaner we may still have a worker from the delalloc_workers queue running  \ninode.c:submit_compressed_extents(), which calls btrfs_add_delayed_iput(),  \nwhich in turn tries to wake up the cleaner kthread - which was already  \ndestroyed before, resulting in a use-after-free on the task_struct.  \n  \nSyzbot reported this with the following stack traces:  \n  \n  BUG: KASAN: slab-use-after-free in __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089  \n  Read of size 8 at addr ffff8880259d2818 by task kworker/u8:3/52  \n  \n  CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.13.0-rc1-syzkaller-00002-gcdd30ebb1b9f #0  \n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024  \n  Workqueue: btrfs-delalloc btrfs_work_helper  \n  Call Trace:  \n     \n   __dump_stack lib/dump_stack.c:94 [inline]  \n   dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120  \n   print_address_description mm/kasan/report.c:378 [inline]  \n   print_report+0x169/0x550 mm/kasan/report.c:489  \n   kasan_report+0x143/0x180 mm/kasan/report.c:602  \n   __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089  \n   lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849  \n   __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]  \n   _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162  \n   class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]  \n   try_to_wake_up+0xc2/0x1470 kernel/sched/core.c:4205  \n   submit_compressed_extents+0xdf/0x16e0 fs/btrfs/inode.c:1615  \n   run_ordered_work fs/btrfs/async-thread.c:288 [inline]  \n   btrfs_work_helper+0x96f/0xc40 fs/btrfs/async-thread.c:324  \n   process_one_work kernel/workqueue.c:3229 [inline]  \n   process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310  \n   worker_thread+0x870/0xd30 kernel/workqueue.c:3391  \n   kthread+0x2f0/0x390 kernel/kthread.c:389  \n   ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147  \n   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244  \n     \n  \n  Allocated by task 2:  \n   kasan_save_stack mm/kasan/common.c:47 [inline]  \n   kasan_save_track+0x3f/0x80 mm/kasan/common.c:68  \n   unpoison_slab_object mm/kasan/common.c:319 [inline]  \n   __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345  \n   kasan_slab_alloc include/linux/kasan.h:250 [inline]  \n   slab_post_alloc_hook mm/slub.c:4104 [inline]  \n   slab_alloc_node mm/slub.c:4153 [inline]  \n   kmem_cache_alloc_node_noprof+0x1d9/0x380 mm/slub.c:4205  \n   alloc_task_struct_node kernel/fork.c:180 [inline]  \n   dup_task_struct+0x57/0x8c0 kernel/fork.c:1113  \n   copy_process+0x5d1/0x3d50 kernel/fork.c:2225  \n   kernel_clone+0x223/0x870 kernel/fork.c:2807  \n   kernel_thread+0x1bc/0x240 kernel/fork.c:2869  \n   create_kthread kernel/kthread.c:412 [inline]  \n   kthreadd+0x60d/0x810 kernel/kthread.c:767  \n   ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147  \n   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244  \n  \n  Freed by task 24:  \n   kasan_save_stack mm/kasan/common.c:47 [inline]  \n   kasan_save_track+0x3f/0x80 mm/kasan/common.c:68  \n   kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582  \n   poison_slab_object mm/kasan/common.c:247 [inline]  \n   __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264  \n   kasan_slab_free include/linux/kasan.h:233 [inline]  \n   slab_free_hook mm/slub.c:2338 [inline]  \n   slab_free mm/slub.c:4598 [inline]  \n   kmem_cache_free+0x195/0x410 mm/slub.c:4700  \n   put_ta[...]", "creation_timestamp": "2025-01-15T15:06:56.000000Z"}]}