{"schema_version":"1.7.2","id":"OESA-2025-1669","modified":"2025-06-27T13:16:16Z","published":"2025-06-27T13:16:16Z","upstream":["CVE-2024-57896"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: flush delalloc workers queue before stopping cleaner kthread during unmount\n\nDuring the unmount path, at close_ctree(), we first stop the cleaner\nkthread, using kthread_stop() which frees the associated task_struct, and\nthen stop and destroy all the work queues. However after we stopped the\ncleaner we may still have a worker from the delalloc_workers queue running\ninode.c:submit_compressed_extents(), which calls btrfs_add_delayed_iput(),\nwhich in turn tries to wake up the cleaner kthread - which was already\ndestroyed before, resulting in a use-after-free on the task_struct.\n\nSyzbot reported this with the following stack traces:\n\n  BUG: KASAN: slab-use-after-free in __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089\n  Read of size 8 at addr ffff8880259d2818 by task kworker/u8:3/52\n\n  CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.13.0-rc1-syzkaller-00002-gcdd30ebb1b9f #0\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\n  Workqueue: btrfs-delalloc btrfs_work_helper\n  Call Trace:\n   \u0026lt;TASK\u0026gt;\n   __dump_stack lib/dump_stack.c:94 [inline]\n   dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n   print_address_description mm/kasan/report.c:378 [inline]\n   print_report+0x169/0x550 mm/kasan/report.c:489\n   kasan_report+0x143/0x180 mm/kasan/report.c:602\n   __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089\n   lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849\n   __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n   _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162\n   class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]\n   try_to_wake_up+0xc2/0x1470 kernel/sched/core.c:4205\n   submit_compressed_extents+0xdf/0x16e0 fs/btrfs/inode.c:1615\n   run_ordered_work fs/btrfs/async-thread.c:288 [inline]\n   btrfs_work_helper+0x96f/0xc40 fs/btrfs/async-thread.c:324\n   process_one_work kernel/workqueue.c:3229 [inline]\n   process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3310\n   worker_thread+0x870/0xd30 kernel/workqueue.c:3391\n   kthread+0x2f0/0x390 kernel/kthread.c:389\n   ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n   \u0026lt;/TASK\u0026gt;\n\n  Allocated by task 2:\n   kasan_save_stack mm/kasan/common.c:47 [inline]\n   kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n   unpoison_slab_object mm/kasan/common.c:319 [inline]\n   __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345\n   kasan_slab_alloc include/linux/kasan.h:250 [inline]\n   slab_post_alloc_hook mm/slub.c:4104 [inline]\n   slab_alloc_node mm/slub.c:4153 [inline]\n   kmem_cache_alloc_node_noprof+0x1d9/0x380 mm/slub.c:4205\n   alloc_task_struct_node kernel/fork.c:180 [inline]\n   dup_task_struct+0x57/0x8c0 kernel/fork.c:1113\n   copy_process+0x5d1/0x3d50 kernel/fork.c:2225\n   kernel_clone+0x223/0x870 kernel/fork.c:2807\n   kernel_thread+0x1bc/0x240 kernel/fork.c:2869\n   create_kthread kernel/kthread.c:412 [inline]\n   kthreadd+0x60d/0x810 kernel/kthread.c:767\n   ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\n  Freed by task 24:\n   kasan_save_stack mm/kasan/common.c:47 [inline]\n   kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n   kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582\n   poison_slab_object mm/kasan/common.c:247 [inline]\n   __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\n   kasan_slab_free include/linux/kasan.h:233 [inline]\n   slab_free_hook mm/slub.c:2338 [inline]\n   slab_free mm/slub.c:4598 [inline]\n   kmem_cache_free+0x195/0x410 mm/slub.c:4700\n   put_task_struct include/linux/sched/task.h:144 [inline]\n   delayed_put_task_struct+0x125/0x300 kernel/exit.c:227\n   rcu_do_batch kernel/rcu/tree.c:2567 [inline]\n   rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823\n   handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:554\n   run_ksoftirqd+0xca/0x130 kernel/softirq.c:943\n  \n---truncated---(CVE-2024-57896)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP1","name":"kernel","purl":"pkg:rpm/openEuler/kernel\u0026distro=openEuler-24.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.0-98.0.0.101.oe2403sp1"}]}],"ecosystem_specific":{"aarch64":["bpftool-6.6.0-98.0.0.101.oe2403sp1.aarch64.rpm","bpftool-debuginfo-6.6.0-98.0.0.101.oe2403sp1.aarch64.rpm","kernel-6.6.0-98.0.0.101.oe2403sp1.aarch64.rpm","kernel-debuginfo-6.6.0-98.0.0.101.oe2403sp1.aarch64.rpm","kernel-debugsource-6.6.0-98.0.0.101.oe2403sp1.aarch64.rpm","kernel-devel-6.6.0-98.0.0.101.oe2403sp1.aarch64.rpm","kernel-headers-6.6.0-98.0.0.101.oe2403sp1.aarch64.rpm","kernel-source-6.6.0-98.0.0.101.oe2403sp1.aarch64.rpm","kernel-tools-6.6.0-98.0.0.101.oe2403sp1.aarch64.rpm","kernel-tools-debuginfo-6.6.0-98.0.0.101.oe2403sp1.aarch64.rpm","kernel-tools-devel-6.6.0-98.0.0.101.oe2403sp1.aarch64.rpm","perf-6.6.0-98.0.0.101.oe2403sp1.aarch64.rpm","perf-debuginfo-6.6.0-98.0.0.101.oe2403sp1.aarch64.rpm","python3-perf-6.6.0-98.0.0.101.oe2403sp1.aarch64.rpm","python3-perf-debuginfo-6.6.0-98.0.0.101.oe2403sp1.aarch64.rpm"],"src":["kernel-6.6.0-98.0.0.101.oe2403sp1.src.rpm"],"x86_64":["bpftool-6.6.0-98.0.0.101.oe2403sp1.x86_64.rpm","bpftool-debuginfo-6.6.0-98.0.0.101.oe2403sp1.x86_64.rpm","kernel-6.6.0-98.0.0.101.oe2403sp1.x86_64.rpm","kernel-debuginfo-6.6.0-98.0.0.101.oe2403sp1.x86_64.rpm","kernel-debugsource-6.6.0-98.0.0.101.oe2403sp1.x86_64.rpm","kernel-devel-6.6.0-98.0.0.101.oe2403sp1.x86_64.rpm","kernel-headers-6.6.0-98.0.0.101.oe2403sp1.x86_64.rpm","kernel-source-6.6.0-98.0.0.101.oe2403sp1.x86_64.rpm","kernel-tools-6.6.0-98.0.0.101.oe2403sp1.x86_64.rpm","kernel-tools-debuginfo-6.6.0-98.0.0.101.oe2403sp1.x86_64.rpm","kernel-tools-devel-6.6.0-98.0.0.101.oe2403sp1.x86_64.rpm","perf-6.6.0-98.0.0.101.oe2403sp1.x86_64.rpm","perf-debuginfo-6.6.0-98.0.0.101.oe2403sp1.x86_64.rpm","python3-perf-6.6.0-98.0.0.101.oe2403sp1.x86_64.rpm","python3-perf-debuginfo-6.6.0-98.0.0.101.oe2403sp1.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1669"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-57896"}],"database_specific":{"severity":"High"}}