CVE-2024-49867 (GCVE-0-2024-49867)

Vulnerability from cvelistv5 – Published: 2024-10-21 18:01 – Updated: 2026-05-11 20:40
VLAI?
Title
btrfs: wait for fixup workers before stopping cleaner kthread during umount
Summary
In the Linux kernel, the following vulnerability has been resolved: btrfs: wait for fixup workers before stopping cleaner kthread during umount During unmount, at close_ctree(), we have the following steps in this order: 1) Park the cleaner kthread - this doesn't destroy the kthread, it basically halts its execution (wake ups against it work but do nothing); 2) We stop the cleaner kthread - this results in freeing the respective struct task_struct; 3) We call btrfs_stop_all_workers() which waits for any jobs running in all the work queues and then free the work queues. Syzbot reported a case where a fixup worker resulted in a crash when doing a delayed iput on its inode while attempting to wake up the cleaner at btrfs_add_delayed_iput(), because the task_struct of the cleaner kthread was already freed. This can happen during unmount because we don't wait for any fixup workers still running before we call kthread_stop() against the cleaner kthread, which stops and free all its resources. Fix this by waiting for any fixup workers at close_ctree() before we call kthread_stop() against the cleaner and run pending delayed iputs. The stack traces reported by syzbot were the following: BUG: KASAN: slab-use-after-free in __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065 Read of size 8 at addr ffff8880272a8a18 by task kworker/u8:3/52 CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.12.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: btrfs-fixup btrfs_work_helper Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline] try_to_wake_up+0xb0/0x1480 kernel/sched/core.c:4154 btrfs_writepage_fixup_worker+0xc16/0xdf0 fs/btrfs/inode.c:2842 btrfs_work_helper+0x390/0xc50 fs/btrfs/async-thread.c:314 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 2: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:247 [inline] slab_post_alloc_hook mm/slub.c:4086 [inline] slab_alloc_node mm/slub.c:4135 [inline] kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4187 alloc_task_struct_node kernel/fork.c:180 [inline] dup_task_struct+0x57/0x8c0 kernel/fork.c:1107 copy_process+0x5d1/0x3d50 kernel/fork.c:2206 kernel_clone+0x223/0x880 kernel/fork.c:2787 kernel_thread+0x1bc/0x240 kernel/fork.c:2849 create_kthread kernel/kthread.c:412 [inline] kthreadd+0x60d/0x810 kernel/kthread.c:765 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 61: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_h ---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 7a97311de48d56af6db4c5819f95faf9b0b23b1a , < a71349b692ab34ea197949e13e3cc42570fe73d9 (git)
Affected: f4b1363cae43fef7c86c993b7ca7fe7d546b3c68 , < 70b60c8d9b42763d6629e44f448aa5d8ae477d61 (git)
Affected: f4b1363cae43fef7c86c993b7ca7fe7d546b3c68 , < 4c98fe0dfa2ae83c4631699695506d8941db4bfe (git)
Affected: f4b1363cae43fef7c86c993b7ca7fe7d546b3c68 , < 9da40aea63f8769f28afb91aea0fac4cf6fbbb65 (git)
Affected: f4b1363cae43fef7c86c993b7ca7fe7d546b3c68 , < ed87190e9d9c80aad220fb6b0b03a84d22e2c95b (git)
Affected: f4b1363cae43fef7c86c993b7ca7fe7d546b3c68 , < bf0de0f9a0544c11f96f93206da04ab87dcea1f4 (git)
Affected: f4b1363cae43fef7c86c993b7ca7fe7d546b3c68 , < 65d11eb276836d49003a8060cf31fa2284ad1047 (git)
Affected: f4b1363cae43fef7c86c993b7ca7fe7d546b3c68 , < 41fd1e94066a815a7ab0a7025359e9b40e4b3576 (git)
Affected: 6026fd9da213daab95469356fe7fdcf29ae1a296 (git)
Create a notification for this product.
Linux Linux Affected: 5.6
Unaffected: 0 , < 5.6 (semver)
Unaffected: 5.4.285 , ≤ 5.4.* (semver)
Unaffected: 5.10.227 , ≤ 5.10.* (semver)
Unaffected: 5.15.168 , ≤ 5.15.* (semver)
Unaffected: 6.1.113 , ≤ 6.1.* (semver)
Unaffected: 6.6.55 , ≤ 6.6.* (semver)
Unaffected: 6.10.14 , ≤ 6.10.* (semver)
Unaffected: 6.11.3 , ≤ 6.11.* (semver)
Unaffected: 6.12 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-49867",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-22T13:47:28.241887Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-22T13:48:52.483Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T22:22:34.501Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/disk-io.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a71349b692ab34ea197949e13e3cc42570fe73d9",
              "status": "affected",
              "version": "7a97311de48d56af6db4c5819f95faf9b0b23b1a",
              "versionType": "git"
            },
            {
              "lessThan": "70b60c8d9b42763d6629e44f448aa5d8ae477d61",
              "status": "affected",
              "version": "f4b1363cae43fef7c86c993b7ca7fe7d546b3c68",
              "versionType": "git"
            },
            {
              "lessThan": "4c98fe0dfa2ae83c4631699695506d8941db4bfe",
              "status": "affected",
              "version": "f4b1363cae43fef7c86c993b7ca7fe7d546b3c68",
              "versionType": "git"
            },
            {
              "lessThan": "9da40aea63f8769f28afb91aea0fac4cf6fbbb65",
              "status": "affected",
              "version": "f4b1363cae43fef7c86c993b7ca7fe7d546b3c68",
              "versionType": "git"
            },
            {
              "lessThan": "ed87190e9d9c80aad220fb6b0b03a84d22e2c95b",
              "status": "affected",
              "version": "f4b1363cae43fef7c86c993b7ca7fe7d546b3c68",
              "versionType": "git"
            },
            {
              "lessThan": "bf0de0f9a0544c11f96f93206da04ab87dcea1f4",
              "status": "affected",
              "version": "f4b1363cae43fef7c86c993b7ca7fe7d546b3c68",
              "versionType": "git"
            },
            {
              "lessThan": "65d11eb276836d49003a8060cf31fa2284ad1047",
              "status": "affected",
              "version": "f4b1363cae43fef7c86c993b7ca7fe7d546b3c68",
              "versionType": "git"
            },
            {
              "lessThan": "41fd1e94066a815a7ab0a7025359e9b40e4b3576",
              "status": "affected",
              "version": "f4b1363cae43fef7c86c993b7ca7fe7d546b3c68",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "6026fd9da213daab95469356fe7fdcf29ae1a296",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/disk-io.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.285",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.227",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.55",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.285",
                  "versionStartIncluding": "5.4.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.227",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.168",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.113",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.55",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.14",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.3",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.5.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: wait for fixup workers before stopping cleaner kthread during umount\n\nDuring unmount, at close_ctree(), we have the following steps in this order:\n\n1) Park the cleaner kthread - this doesn\u0027t destroy the kthread, it basically\n   halts its execution (wake ups against it work but do nothing);\n\n2) We stop the cleaner kthread - this results in freeing the respective\n   struct task_struct;\n\n3) We call btrfs_stop_all_workers() which waits for any jobs running in all\n   the work queues and then free the work queues.\n\nSyzbot reported a case where a fixup worker resulted in a crash when doing\na delayed iput on its inode while attempting to wake up the cleaner at\nbtrfs_add_delayed_iput(), because the task_struct of the cleaner kthread\nwas already freed. This can happen during unmount because we don\u0027t wait\nfor any fixup workers still running before we call kthread_stop() against\nthe cleaner kthread, which stops and free all its resources.\n\nFix this by waiting for any fixup workers at close_ctree() before we call\nkthread_stop() against the cleaner and run pending delayed iputs.\n\nThe stack traces reported by syzbot were the following:\n\n  BUG: KASAN: slab-use-after-free in __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065\n  Read of size 8 at addr ffff8880272a8a18 by task kworker/u8:3/52\n\n  CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.12.0-rc1-syzkaller #0\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n  Workqueue: btrfs-fixup btrfs_work_helper\n  Call Trace:\n   \u003cTASK\u003e\n   __dump_stack lib/dump_stack.c:94 [inline]\n   dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n   print_address_description mm/kasan/report.c:377 [inline]\n   print_report+0x169/0x550 mm/kasan/report.c:488\n   kasan_report+0x143/0x180 mm/kasan/report.c:601\n   __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065\n   lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825\n   __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n   _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162\n   class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]\n   try_to_wake_up+0xb0/0x1480 kernel/sched/core.c:4154\n   btrfs_writepage_fixup_worker+0xc16/0xdf0 fs/btrfs/inode.c:2842\n   btrfs_work_helper+0x390/0xc50 fs/btrfs/async-thread.c:314\n   process_one_work kernel/workqueue.c:3229 [inline]\n   process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310\n   worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n   kthread+0x2f0/0x390 kernel/kthread.c:389\n   ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n   \u003c/TASK\u003e\n\n  Allocated by task 2:\n   kasan_save_stack mm/kasan/common.c:47 [inline]\n   kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n   unpoison_slab_object mm/kasan/common.c:319 [inline]\n   __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345\n   kasan_slab_alloc include/linux/kasan.h:247 [inline]\n   slab_post_alloc_hook mm/slub.c:4086 [inline]\n   slab_alloc_node mm/slub.c:4135 [inline]\n   kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4187\n   alloc_task_struct_node kernel/fork.c:180 [inline]\n   dup_task_struct+0x57/0x8c0 kernel/fork.c:1107\n   copy_process+0x5d1/0x3d50 kernel/fork.c:2206\n   kernel_clone+0x223/0x880 kernel/fork.c:2787\n   kernel_thread+0x1bc/0x240 kernel/fork.c:2849\n   create_kthread kernel/kthread.c:412 [inline]\n   kthreadd+0x60d/0x810 kernel/kthread.c:765\n   ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\n  Freed by task 61:\n   kasan_save_stack mm/kasan/common.c:47 [inline]\n   kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n   kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579\n   poison_slab_object mm/kasan/common.c:247 [inline]\n   __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\n   kasan_slab_free include/linux/kasan.h:230 [inline]\n   slab_free_h\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:40:45.970Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a71349b692ab34ea197949e13e3cc42570fe73d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/70b60c8d9b42763d6629e44f448aa5d8ae477d61"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c98fe0dfa2ae83c4631699695506d8941db4bfe"
        },
        {
          "url": "https://git.kernel.org/stable/c/9da40aea63f8769f28afb91aea0fac4cf6fbbb65"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed87190e9d9c80aad220fb6b0b03a84d22e2c95b"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf0de0f9a0544c11f96f93206da04ab87dcea1f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/65d11eb276836d49003a8060cf31fa2284ad1047"
        },
        {
          "url": "https://git.kernel.org/stable/c/41fd1e94066a815a7ab0a7025359e9b40e4b3576"
        }
      ],
      "title": "btrfs: wait for fixup workers before stopping cleaner kthread during umount",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-49867",
    "datePublished": "2024-10-21T18:01:09.962Z",
    "dateReserved": "2024-10-21T12:17:06.018Z",
    "dateUpdated": "2026-05-11T20:40:45.970Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-49867",
      "date": "2026-05-21",
      "epss": "7e-05",
      "percentile": "0.00539"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-49867\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-10-21T18:15:06.403\",\"lastModified\":\"2026-01-05T11:17:19.930\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: wait for fixup workers before stopping cleaner kthread during umount\\n\\nDuring unmount, at close_ctree(), we have the following steps in this order:\\n\\n1) Park the cleaner kthread - this doesn\u0027t destroy the kthread, it basically\\n   halts its execution (wake ups against it work but do nothing);\\n\\n2) We stop the cleaner kthread - this results in freeing the respective\\n   struct task_struct;\\n\\n3) We call btrfs_stop_all_workers() which waits for any jobs running in all\\n   the work queues and then free the work queues.\\n\\nSyzbot reported a case where a fixup worker resulted in a crash when doing\\na delayed iput on its inode while attempting to wake up the cleaner at\\nbtrfs_add_delayed_iput(), because the task_struct of the cleaner kthread\\nwas already freed. This can happen during unmount because we don\u0027t wait\\nfor any fixup workers still running before we call kthread_stop() against\\nthe cleaner kthread, which stops and free all its resources.\\n\\nFix this by waiting for any fixup workers at close_ctree() before we call\\nkthread_stop() against the cleaner and run pending delayed iputs.\\n\\nThe stack traces reported by syzbot were the following:\\n\\n  BUG: KASAN: slab-use-after-free in __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065\\n  Read of size 8 at addr ffff8880272a8a18 by task kworker/u8:3/52\\n\\n  CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.12.0-rc1-syzkaller #0\\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\\n  Workqueue: btrfs-fixup btrfs_work_helper\\n  Call Trace:\\n   \u003cTASK\u003e\\n   __dump_stack lib/dump_stack.c:94 [inline]\\n   dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\\n   print_address_description mm/kasan/report.c:377 [inline]\\n   print_report+0x169/0x550 mm/kasan/report.c:488\\n   kasan_report+0x143/0x180 mm/kasan/report.c:601\\n   __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065\\n   lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825\\n   __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\\n   _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162\\n   class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]\\n   try_to_wake_up+0xb0/0x1480 kernel/sched/core.c:4154\\n   btrfs_writepage_fixup_worker+0xc16/0xdf0 fs/btrfs/inode.c:2842\\n   btrfs_work_helper+0x390/0xc50 fs/btrfs/async-thread.c:314\\n   process_one_work kernel/workqueue.c:3229 [inline]\\n   process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310\\n   worker_thread+0x870/0xd30 kernel/workqueue.c:3391\\n   kthread+0x2f0/0x390 kernel/kthread.c:389\\n   ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\\n   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\\n   \u003c/TASK\u003e\\n\\n  Allocated by task 2:\\n   kasan_save_stack mm/kasan/common.c:47 [inline]\\n   kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\\n   unpoison_slab_object mm/kasan/common.c:319 [inline]\\n   __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345\\n   kasan_slab_alloc include/linux/kasan.h:247 [inline]\\n   slab_post_alloc_hook mm/slub.c:4086 [inline]\\n   slab_alloc_node mm/slub.c:4135 [inline]\\n   kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4187\\n   alloc_task_struct_node kernel/fork.c:180 [inline]\\n   dup_task_struct+0x57/0x8c0 kernel/fork.c:1107\\n   copy_process+0x5d1/0x3d50 kernel/fork.c:2206\\n   kernel_clone+0x223/0x880 kernel/fork.c:2787\\n   kernel_thread+0x1bc/0x240 kernel/fork.c:2849\\n   create_kthread kernel/kthread.c:412 [inline]\\n   kthreadd+0x60d/0x810 kernel/kthread.c:765\\n   ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\\n   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\\n\\n  Freed by task 61:\\n   kasan_save_stack mm/kasan/common.c:47 [inline]\\n   kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\\n   kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579\\n   poison_slab_object mm/kasan/common.c:247 [inline]\\n   __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\\n   kasan_slab_free include/linux/kasan.h:230 [inline]\\n   slab_free_h\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs: esperar a los trabajadores de reparaci\u00f3n antes de detener el kthread del limpiador durante el desmontaje Durante el desmontaje, en close_ctree(), tenemos los siguientes pasos en este orden: 1) Aparcar el kthread del limpiador - esto no destruye el kthread, b\u00e1sicamente detiene su ejecuci\u00f3n (las reactivaciones contra \u00e9l funcionan pero no hacen nada); 2) Detenemos el kthread del limpiador - esto da como resultado la liberaci\u00f3n de la estructura respectiva task_struct; 3) Llamamos a btrfs_stop_all_workers() que espera a que se ejecuten trabajos en todas las colas de trabajo y luego libera las colas de trabajo. Syzbot inform\u00f3 de un caso en el que un trabajador de reparaci\u00f3n provoc\u00f3 un bloqueo al realizar una entrada retrasada en su inodo mientras intentaba despertar al limpiador en btrfs_add_delayed_iput(), porque la estructura task_struct del kthread del limpiador ya estaba liberada. Esto puede suceder durante el desmontaje porque no esperamos a que haya ning\u00fan trabajador de reparaci\u00f3n que a\u00fan est\u00e9 en ejecuci\u00f3n antes de llamar a kthread_stop() contra el kthread de limpieza, que se detiene y libera todos sus recursos. Solucione esto esperando a que haya alg\u00fan trabajador de reparaci\u00f3n en close_ctree() antes de llamar a kthread_stop() contra el kthread de limpieza y ejecutarlo en espera de entradas retrasadas. Los seguimientos de pila informados por syzbot fueron los siguientes: ERROR: KASAN: slab-use-after-free en __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065 Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff8880272a8a18 por la tarea kworker/u8:3/52 CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 No contaminado 6.12.0-rc1-syzkaller #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 13/09/2024 Cola de trabajo: btrfs-fixup btrfs_work_helper Seguimiento de llamadas:  __dump_stack lib/dump_stack.c:94 [en l\u00ednea] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 imprimir_direcci\u00f3n_descripci\u00f3n mm/kasan/report.c:377 [en l\u00ednea] imprimir_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825 __raw_spin_lock_irqsave incluir/linux/spinlock_api_smp.h:110 [en l\u00ednea] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 constructor de guardado de irq de clase_sin procesar spinlock include/linux/spinlock.h:551 [en l\u00ednea] intento_de_activaci\u00f3n+0xb0/0x1480 kernel/sched/core.c:4154 btrfs_writepage_fixup_worker+0xc16/0xdf0 fs/btrfs/inode.c:2842 btrfs_work_helper+0x390/0xc50 fs/btrfs/async-thread.c:314 proceso_un_trabajo kernel/workqueue.c:3229 [en l\u00ednea] proceso_trabajos_programados+0xa63/0x1850 kernel/workqueue.c:3310 subproceso_trabajador+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244  Asignado por la tarea 2: kasan_save_stack mm/kasan/common.c:47 [en l\u00ednea] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:319 [en l\u00ednea] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:247 [en l\u00ednea] slab_post_alloc_hook mm/slub.c:4086 [en l\u00ednea] slab_alloc_node mm/slub.c:4135 [en l\u00ednea] kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4187 alloc_task_struct_node kernel/fork.c:180 [en l\u00ednea] dup_task_struct+0x57/0x8c0 kernel/fork.c:1107 copy_process+0x5d1/0x3d50 kernel/fork.c:2206 kernel_clone+0x223/0x880 kernel/fork.c:2787 kernel_thread+0x1bc/0x240 kernel/fork.c:2849 create_kthread kernel/kthread.c:412 [en l\u00ednea] kthreadd+0x60d/0x810 kernel/kthread.c:765 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Liberado por la tarea 61: kasan_save_stack mm/kasan/common.c:47 [en l\u00ednea] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/k---truncado---\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.10.227\",\"matchCriteriaId\":\"EB525A44-6338-4857-AD90-EA2860D1AD1F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.168\",\"matchCriteriaId\":\"4D51C05D-455B-4D8D-89E7-A58E140B864C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.113\",\"matchCriteriaId\":\"D01BD22E-ACD1-4618-9D01-6116570BE1EE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.55\",\"matchCriteriaId\":\"E90B9576-56C4-47BC-AAB0-C5B2D438F5D0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.10.14\",\"matchCriteriaId\":\"4C16BCE0-FFA0-4599-BE0A-1FD65101C021\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.11\",\"versionEndExcluding\":\"6.11.3\",\"matchCriteriaId\":\"54D9C704-D679-41A7-9C40-10A6B1E7FFE9\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/41fd1e94066a815a7ab0a7025359e9b40e4b3576\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4c98fe0dfa2ae83c4631699695506d8941db4bfe\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/65d11eb276836d49003a8060cf31fa2284ad1047\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/70b60c8d9b42763d6629e44f448aa5d8ae477d61\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/9da40aea63f8769f28afb91aea0fac4cf6fbbb65\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/a71349b692ab34ea197949e13e3cc42570fe73d9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bf0de0f9a0544c11f96f93206da04ab87dcea1f4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ed87190e9d9c80aad220fb6b0b03a84d22e2c95b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T22:22:34.501Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-49867\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-22T13:47:28.241887Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-22T13:47:31.416Z\"}}], \"cna\": {\"title\": \"btrfs: wait for fixup workers before stopping cleaner kthread during umount\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"7a97311de48d56af6db4c5819f95faf9b0b23b1a\", \"lessThan\": \"a71349b692ab34ea197949e13e3cc42570fe73d9\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f4b1363cae43fef7c86c993b7ca7fe7d546b3c68\", \"lessThan\": \"70b60c8d9b42763d6629e44f448aa5d8ae477d61\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f4b1363cae43fef7c86c993b7ca7fe7d546b3c68\", \"lessThan\": \"4c98fe0dfa2ae83c4631699695506d8941db4bfe\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f4b1363cae43fef7c86c993b7ca7fe7d546b3c68\", \"lessThan\": \"9da40aea63f8769f28afb91aea0fac4cf6fbbb65\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f4b1363cae43fef7c86c993b7ca7fe7d546b3c68\", \"lessThan\": \"ed87190e9d9c80aad220fb6b0b03a84d22e2c95b\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f4b1363cae43fef7c86c993b7ca7fe7d546b3c68\", \"lessThan\": \"bf0de0f9a0544c11f96f93206da04ab87dcea1f4\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f4b1363cae43fef7c86c993b7ca7fe7d546b3c68\", \"lessThan\": \"65d11eb276836d49003a8060cf31fa2284ad1047\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f4b1363cae43fef7c86c993b7ca7fe7d546b3c68\", \"lessThan\": \"41fd1e94066a815a7ab0a7025359e9b40e4b3576\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"6026fd9da213daab95469356fe7fdcf29ae1a296\", \"versionType\": \"git\"}], \"programFiles\": [\"fs/btrfs/disk-io.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.6\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.6\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.4.285\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.227\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.168\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.113\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.55\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.10.14\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.10.*\"}, {\"status\": \"unaffected\", \"version\": \"6.11.3\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.11.*\"}, {\"status\": \"unaffected\", \"version\": \"6.12\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"fs/btrfs/disk-io.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/a71349b692ab34ea197949e13e3cc42570fe73d9\"}, {\"url\": \"https://git.kernel.org/stable/c/70b60c8d9b42763d6629e44f448aa5d8ae477d61\"}, {\"url\": \"https://git.kernel.org/stable/c/4c98fe0dfa2ae83c4631699695506d8941db4bfe\"}, {\"url\": \"https://git.kernel.org/stable/c/9da40aea63f8769f28afb91aea0fac4cf6fbbb65\"}, {\"url\": \"https://git.kernel.org/stable/c/ed87190e9d9c80aad220fb6b0b03a84d22e2c95b\"}, {\"url\": \"https://git.kernel.org/stable/c/bf0de0f9a0544c11f96f93206da04ab87dcea1f4\"}, {\"url\": \"https://git.kernel.org/stable/c/65d11eb276836d49003a8060cf31fa2284ad1047\"}, {\"url\": \"https://git.kernel.org/stable/c/41fd1e94066a815a7ab0a7025359e9b40e4b3576\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: wait for fixup workers before stopping cleaner kthread during umount\\n\\nDuring unmount, at close_ctree(), we have the following steps in this order:\\n\\n1) Park the cleaner kthread - this doesn\u0027t destroy the kthread, it basically\\n   halts its execution (wake ups against it work but do nothing);\\n\\n2) We stop the cleaner kthread - this results in freeing the respective\\n   struct task_struct;\\n\\n3) We call btrfs_stop_all_workers() which waits for any jobs running in all\\n   the work queues and then free the work queues.\\n\\nSyzbot reported a case where a fixup worker resulted in a crash when doing\\na delayed iput on its inode while attempting to wake up the cleaner at\\nbtrfs_add_delayed_iput(), because the task_struct of the cleaner kthread\\nwas already freed. This can happen during unmount because we don\u0027t wait\\nfor any fixup workers still running before we call kthread_stop() against\\nthe cleaner kthread, which stops and free all its resources.\\n\\nFix this by waiting for any fixup workers at close_ctree() before we call\\nkthread_stop() against the cleaner and run pending delayed iputs.\\n\\nThe stack traces reported by syzbot were the following:\\n\\n  BUG: KASAN: slab-use-after-free in __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065\\n  Read of size 8 at addr ffff8880272a8a18 by task kworker/u8:3/52\\n\\n  CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.12.0-rc1-syzkaller #0\\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\\n  Workqueue: btrfs-fixup btrfs_work_helper\\n  Call Trace:\\n   \u003cTASK\u003e\\n   __dump_stack lib/dump_stack.c:94 [inline]\\n   dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\\n   print_address_description mm/kasan/report.c:377 [inline]\\n   print_report+0x169/0x550 mm/kasan/report.c:488\\n   kasan_report+0x143/0x180 mm/kasan/report.c:601\\n   __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065\\n   lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825\\n   __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\\n   _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162\\n   class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]\\n   try_to_wake_up+0xb0/0x1480 kernel/sched/core.c:4154\\n   btrfs_writepage_fixup_worker+0xc16/0xdf0 fs/btrfs/inode.c:2842\\n   btrfs_work_helper+0x390/0xc50 fs/btrfs/async-thread.c:314\\n   process_one_work kernel/workqueue.c:3229 [inline]\\n   process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310\\n   worker_thread+0x870/0xd30 kernel/workqueue.c:3391\\n   kthread+0x2f0/0x390 kernel/kthread.c:389\\n   ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\\n   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\\n   \u003c/TASK\u003e\\n\\n  Allocated by task 2:\\n   kasan_save_stack mm/kasan/common.c:47 [inline]\\n   kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\\n   unpoison_slab_object mm/kasan/common.c:319 [inline]\\n   __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345\\n   kasan_slab_alloc include/linux/kasan.h:247 [inline]\\n   slab_post_alloc_hook mm/slub.c:4086 [inline]\\n   slab_alloc_node mm/slub.c:4135 [inline]\\n   kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4187\\n   alloc_task_struct_node kernel/fork.c:180 [inline]\\n   dup_task_struct+0x57/0x8c0 kernel/fork.c:1107\\n   copy_process+0x5d1/0x3d50 kernel/fork.c:2206\\n   kernel_clone+0x223/0x880 kernel/fork.c:2787\\n   kernel_thread+0x1bc/0x240 kernel/fork.c:2849\\n   create_kthread kernel/kthread.c:412 [inline]\\n   kthreadd+0x60d/0x810 kernel/kthread.c:765\\n   ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\\n   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\\n\\n  Freed by task 61:\\n   kasan_save_stack mm/kasan/common.c:47 [inline]\\n   kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\\n   kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579\\n   poison_slab_object mm/kasan/common.c:247 [inline]\\n   __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\\n   kasan_slab_free include/linux/kasan.h:230 [inline]\\n   slab_free_h\\n---truncated---\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.285\", \"versionStartIncluding\": \"5.4.22\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.227\", \"versionStartIncluding\": \"5.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.168\", \"versionStartIncluding\": \"5.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.113\", \"versionStartIncluding\": \"5.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.55\", \"versionStartIncluding\": \"5.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.10.14\", \"versionStartIncluding\": \"5.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.11.3\", \"versionStartIncluding\": \"5.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.12\", \"versionStartIncluding\": \"5.6\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"5.5.6\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-11T20:40:45.970Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-49867\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-11T20:40:45.970Z\", \"dateReserved\": \"2024-10-21T12:17:06.018Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-10-21T18:01:09.962Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.