CVE-2024-57896

In the Linux kernel, the following vulnerability has been resolved:

btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount

During the unmount path, at closectree(), we first stop the cleaner kthread, using kthreadstop() which frees the associated taskstruct, and then stop and destroy all the work queues. However after we stopped the cleaner we may still have a worker from the delallocworkers queue running inode.c:submitcompressedextents(), which calls btrfsadddelayediput(), which in turn tries to wake up the cleaner kthread - which was already destroyed before, resulting in a use-after-free on the taskstruct.

Syzbot reported this with the following stack traces:

BUG: KASAN: slab-use-after-free in _lockacquire+0x78/0x2100 kernel/locking/lockdep.c:5089 Read of size 8 at addr ffff8880259d2818 by task kworker/u8:3/52

CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.13.0-rc1-syzkaller-00002-gcdd30ebb1b9f #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: btrfs-delalloc btrfsworkhelper Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:120 printaddressdescription mm/kasan/report.c:378 [inline] printreport+0x169/0x550 mm/kasan/report.c:489 kasanreport+0x143/0x180 mm/kasan/report.c:602 _lockacquire+0x78/0x2100 kernel/locking/lockdep.c:5089 lockacquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 _rawspinlockirqsave include/linux/spinlockapismp.h:110 [inline] _rawspinlockirqsave+0xd5/0x120 kernel/locking/spinlock.c:162 classrawspinlockirqsaveconstructor include/linux/spinlock.h:551 [inline] trytowakeup+0xc2/0x1470 kernel/sched/core.c:4205 submitcompressedextents+0xdf/0x16e0 fs/btrfs/inode.c:1615 runorderedwork fs/btrfs/async-thread.c:288 [inline] btrfsworkhelper+0x96f/0xc40 fs/btrfs/async-thread.c:324 processonework kernel/workqueue.c:3229 [inline] processscheduledworks+0xa66/0x1840 kernel/workqueue.c:3310 workerthread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 retfromfork+0x4b/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1a/0x30 arch/x86/entry/entry64.S:244 </TASK>

Allocated by task 2: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3f/0x80 mm/kasan/common.c:68 unpoisonslabobject mm/kasan/common.c:319 [inline] _kasanslaballoc+0x66/0x80 mm/kasan/common.c:345 kasanslaballoc include/linux/kasan.h:250 [inline] slabpostallochook mm/slub.c:4104 [inline] slaballocnode mm/slub.c:4153 [inline] kmemcacheallocnodenoprof+0x1d9/0x380 mm/slub.c:4205 alloctaskstructnode kernel/fork.c:180 [inline] duptaskstruct+0x57/0x8c0 kernel/fork.c:1113 copyprocess+0x5d1/0x3d50 kernel/fork.c:2225 kernelclone+0x223/0x870 kernel/fork.c:2807 kernelthread+0x1bc/0x240 kernel/fork.c:2869 createkthread kernel/kthread.c:412 [inline] kthreadd+0x60d/0x810 kernel/kthread.c:767 retfromfork+0x4b/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 24: kasansavestack mm/kasan/common.c:47 [inline] kasansavetrack+0x3f/0x80 mm/kasan/common.c:68 kasansavefreeinfo+0x40/0x50 mm/kasan/generic.c:582 poisonslabobject mm/kasan/common.c:247 [inline] _kasanslabfree+0x59/0x70 mm/kasan/common.c:264 kasanslabfree include/linux/kasan.h:233 [inline] slabfreehook mm/slub.c:2338 [inline] slabfree mm/slub.c:4598 [inline] kmemcachefree+0x195/0x410 mm/slub.c:4700 puttaskstruct include/linux/sched/task.h:144 [inline] delayedputtaskstruct+0x125/0x300 kernel/exit.c:227 rcudobatch kernel/rcu/tree.c:2567 [inline] rcucore+0xaaa/0x17a0 kernel/rcu/tree.c:2823 handlesoftirqs+0x2d4/0x9b0 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:943

---truncated---