CVE-2024-47691
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-47691
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-47691.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-47691
- Downstream
- Related
- Published
- 2024-10-21T11:53:30Z
- Modified
- 2025-10-15T16:13:53.484072Z
- Summary
- f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid use-after-free in f2fsstopgc_thread()
syzbot reports a f2fs bug as below:
_dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:114 printreport+0xe8/0x550 mm/kasan/report.c:491 kasanreport+0x143/0x180 mm/kasan/report.c:601 kasancheckrange+0x282/0x290 mm/kasan/generic.c:189 instrumentatomicreadwrite include/linux/instrumented.h:96 [inline] atomicfetchaddrelaxed include/linux/atomic/atomic-instrumented.h:252 [inline] _refcountadd include/linux/refcount.h:184 [inline] _refcountinc include/linux/refcount.h:241 [inline] refcountinc include/linux/refcount.h:258 [inline] gettaskstruct include/linux/sched/task.h:118 [inline] kthreadstop+0xca/0x630 kernel/kthread.c:704 f2fsstopgcthread+0x65/0xb0 fs/f2fs/gc.c:210 f2fsdoshutdown+0x192/0x540 fs/f2fs/file.c:2283 f2fsiocshutdown fs/f2fs/file.c:2325 [inline] _f2fsioctl+0x443a/0xbe60 fs/f2fs/file.c:4325 vfsioctl fs/ioctl.c:51 [inline] _dosysioctl fs/ioctl.c:907 [inline] _sesysioctl+0xfc/0x170 fs/ioctl.c:893 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f
The root cause is below race condition, it may cause use-after-free issue in sbi->gc_th pointer.
- remount
- f2fs_remount
- f2fsstopgcthread
- kfree(gc
- f2fsiocshutdown
- f2fsdoshutdown
- f2fsstopgcthread
- kthreadstop(gcth->f2fsgctask) : sbi->gc
- f2fsstopgcthread
- f2fsdoshutdown
- f2fsstopgcthread
- f2fs_remount
We will call f2fsdoshutdown() in two paths: - for f2fsiocshutdown() path, we should grab sb->sumount semaphore for fixing. - for f2fsshutdown() path, it's safe since caller has already grabbed sb->s_umount semaphore.
- remount
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/7c339dee7eb0f8e4cadc317c595f898ef04dae30
- https://git.kernel.org/stable/c/c7f114d864ac91515bb07ac271e9824a20f5ed95
- https://git.kernel.org/stable/c/d79343cd66343709e409d96b2abb139a0a55ce34
- https://git.kernel.org/stable/c/fc18e655b62ac6bc9f12f5de0d749b4a3fe1e812
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced7950e9ac638e84518fbdd5c930939ad46a1068c5Fixedfc18e655b62ac6bc9f12f5de0d749b4a3fe1e812
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced7950e9ac638e84518fbdd5c930939ad46a1068c5Fixed7c339dee7eb0f8e4cadc317c595f898ef04dae30
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced7950e9ac638e84518fbdd5c930939ad46a1068c5Fixedd79343cd66343709e409d96b2abb139a0a55ce34
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced7950e9ac638e84518fbdd5c930939ad46a1068c5Fixedc7f114d864ac91515bb07ac271e9824a20f5ed95
Affected versions
v4.*
v4.15
v4.15-rc5
v4.15-rc6
v4.15-rc7
v4.15-rc8
v4.15-rc9
v4.16
v4.16-rc1
v4.16-rc2
v4.16-rc3
v4.16-rc4
v4.16-rc5
v4.16-rc6
v4.16-rc7
v4.17
v4.17-rc1
v4.17-rc2
v4.17-rc3
v4.17-rc4
v4.17-rc5
v4.17-rc6
v4.17-rc7
v4.18
v4.18-rc1
v4.18-rc2
v4.18-rc3
v4.18-rc4
v4.18-rc5
v4.18-rc6
v4.18-rc7
v4.18-rc8
v4.19
v4.19-rc1
v4.19-rc2
v4.19-rc3
v4.19-rc4
v4.19-rc5
v4.19-rc6
v4.19-rc7
v4.19-rc8
v4.20
v4.20-rc1
v4.20-rc2
v4.20-rc3
v4.20-rc4
v4.20-rc5
v4.20-rc6
v4.20-rc7
v5.*
v5.0
v5.0-rc1
v5.0-rc2
v5.0-rc3
v5.0-rc4
v5.0-rc5
v5.0-rc6
v5.0-rc7
v5.0-rc8
v5.1
v5.1-rc1
v5.1-rc2
v5.1-rc3
v5.1-rc4
v5.1-rc5
v5.1-rc6
v5.1-rc7
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.2
v5.2-rc1
v5.2-rc2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2-rc6
v5.2-rc7
v5.3
v5.3-rc1
v5.3-rc2
v5.3-rc3
v5.3-rc4
v5.3-rc5
v5.3-rc6
v5.3-rc7
v5.3-rc8
v5.4
v5.4-rc1
v5.4-rc2
v5.4-rc3
v5.4-rc4
v5.4-rc5
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.10.1
v6.10.10
v6.10.11
v6.10.12
v6.10.2
v6.10.3
v6.10.4
v6.10.5
v6.10.6
v6.10.7
v6.10.8
v6.10.9
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
Database specific
{
"vanir_signatures": [
{
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "fs/f2fs/file.c",
"function": "f2fs_do_shutdown"
},
"deprecated": false,
"digest": {
"length": 1204.0,
"function_hash": "251484158801132109540872531614805961844"
},
"id": "CVE-2024-47691-0628fb74",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7c339dee7eb0f8e4cadc317c595f898ef04dae30"
},
{
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "fs/f2fs/f2fs.h"
},
"deprecated": false,
"digest": {
"line_hashes": [
"220412086764861106534959252628118343330",
"267651090633403922155860518670358673529",
"68515751638892026156822563381129427907",
"147135587474753584742963360272589645683"
],
"threshold": 0.9
},
"id": "CVE-2024-47691-21a39bff",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7c339dee7eb0f8e4cadc317c595f898ef04dae30"
},
{
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "fs/f2fs/file.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"129607566220298626807578722927592192387",
"303858387511682046974434650948331778215",
"312613235512565622992214207426703292148",
"219594696806794300666048709218578513469",
"107952941548675220177894989453470374478",
"17739246540868146830923688781539025273",
"287102298512206381384537412355076124079",
"248001987736988515415959114456468910410",
"113970066448567663101721259463878618920",
"291508227576302731772291368873129781865",
"240782190291724008658419045177082868576",
"186117971349526589537906439335525524711",
"97967655880531910629110859123137407288",
"96547300312072410248686732071952219326",
"336767132907911532111759655953064586640"
],
"threshold": 0.9
},
"id": "CVE-2024-47691-2a736ed3",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7c339dee7eb0f8e4cadc317c595f898ef04dae30"
},
{
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "fs/f2fs/file.c",
"function": "f2fs_ioc_shutdown"
},
"deprecated": false,
"digest": {
"length": 575.0,
"function_hash": "303650049812698794886641051903543938671"
},
"id": "CVE-2024-47691-45488165",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c7f114d864ac91515bb07ac271e9824a20f5ed95"
},
{
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "fs/f2fs/super.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"77953439003310415457012082935650622330",
"288414671332461292429979381467976696012",
"244441514582358048310356062655116272018",
"214834503425278465910640557622604265266"
],
"threshold": 0.9
},
"id": "CVE-2024-47691-45efdd98",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7c339dee7eb0f8e4cadc317c595f898ef04dae30"
},
{
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "fs/f2fs/super.c",
"function": "f2fs_shutdown"
},
"deprecated": false,
"digest": {
"length": 110.0,
"function_hash": "238471102185464019941002573189448184430"
},
"id": "CVE-2024-47691-4bab25bf",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c7f114d864ac91515bb07ac271e9824a20f5ed95"
},
{
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "fs/f2fs/file.c",
"function": "f2fs_ioc_shutdown"
},
"deprecated": false,
"digest": {
"length": 575.0,
"function_hash": "303650049812698794886641051903543938671"
},
"id": "CVE-2024-47691-518cfd1b",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7c339dee7eb0f8e4cadc317c595f898ef04dae30"
},
{
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "fs/f2fs/super.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"77953439003310415457012082935650622330",
"288414671332461292429979381467976696012",
"244441514582358048310356062655116272018",
"214834503425278465910640557622604265266"
],
"threshold": 0.9
},
"id": "CVE-2024-47691-676f6b56",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c7f114d864ac91515bb07ac271e9824a20f5ed95"
},
{
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "fs/f2fs/f2fs.h"
},
"deprecated": false,
"digest": {
"line_hashes": [
"220412086764861106534959252628118343330",
"267651090633403922155860518670358673529",
"68515751638892026156822563381129427907",
"147135587474753584742963360272589645683"
],
"threshold": 0.9
},
"id": "CVE-2024-47691-79aff160",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c7f114d864ac91515bb07ac271e9824a20f5ed95"
},
{
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "fs/f2fs/file.c",
"function": "f2fs_do_shutdown"
},
"deprecated": false,
"digest": {
"length": 1204.0,
"function_hash": "251484158801132109540872531614805961844"
},
"id": "CVE-2024-47691-875833b4",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c7f114d864ac91515bb07ac271e9824a20f5ed95"
},
{
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "fs/f2fs/super.c",
"function": "f2fs_shutdown"
},
"deprecated": false,
"digest": {
"length": 110.0,
"function_hash": "238471102185464019941002573189448184430"
},
"id": "CVE-2024-47691-ad719e5f",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7c339dee7eb0f8e4cadc317c595f898ef04dae30"
},
{
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "fs/f2fs/file.c"
},
"deprecated": false,
"digest": {
"line_hashes": [
"129607566220298626807578722927592192387",
"303858387511682046974434650948331778215",
"312613235512565622992214207426703292148",
"219594696806794300666048709218578513469",
"107952941548675220177894989453470374478",
"17739246540868146830923688781539025273",
"287102298512206381384537412355076124079",
"248001987736988515415959114456468910410",
"113970066448567663101721259463878618920",
"291508227576302731772291368873129781865",
"240782190291724008658419045177082868576",
"186117971349526589537906439335525524711",
"97967655880531910629110859123137407288",
"96547300312072410248686732071952219326",
"336767132907911532111759655953064586640"
],
"threshold": 0.9
},
"id": "CVE-2024-47691-d1e9e000",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c7f114d864ac91515bb07ac271e9824a20f5ed95"
}
]
}