CVE-2024-49867: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-49867 affects the Linux kernel's BTRFS file system implementation. The vulnerability was discovered and reported by Syzbot in October 2024, affecting Linux kernel versions up to (excluding) 5.10.227, from 5.11 up to (excluding) 5.15.168, from 5.16 up to (excluding) 6.1.113, from 6.2 up to (excluding) 6.6.55, and from 6.7 up to (excluding) 6.10.14 (NVD).

The vulnerability is a use-after-free issue in the BTRFS file system during unmount operations. During closectree(), the system executes steps in sequence: 1) Parks the cleaner kthread (halting execution), 2) Stops the cleaner kthread (freeing taskstruct), and 3) Calls btrfsstopallworkers(). The issue occurs when a fixup worker attempts to perform a delayed iput on its inode while trying to wake up the cleaner thread after the cleaner's taskstruct has already been freed (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 MEDIUM (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (NVD).

The vulnerability can result in a system crash (denial of service) when attempting to unmount a BTRFS filesystem. The issue manifests as a use-after-free condition when the fixup worker tries to access the already freed cleaner kthread's task_struct (Kernel Patch).

The issue has been fixed by adding a wait for fixup workers to complete before stopping the cleaner kthread during unmount. The fix involves calling btrfsflushworkqueue() on the fixup workers before the cleaner kthread is stopped (Kernel Patch). Users should update to patched kernel versions: 5.10.227 or later, 5.15.168 or later, 6.1.113 or later, 6.6.55 or later, or 6.10.14 or later (NVD).