CVE-2024-57896: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-57896 affects the Linux kernel's btrfs filesystem component. The vulnerability was discovered in January 2025 and involves a use-after-free issue during the filesystem unmount process. The issue occurs in the close_ctree() function where the cleaner kthread is stopped before the delalloc workers queue is fully processed, potentially leading to accessing freed memory (NVD).

The vulnerability occurs during the unmount path in closectree() when the cleaner kthread is stopped using kthreadstop(), which frees the associated taskstruct. However, workers from the delallocworkers queue may still be running submitcompressedextents(), which calls btrfsadddelayediput() and attempts to wake up the already destroyed cleaner kthread. This results in a use-after-free condition on the taskstruct. The issue has been assigned a CVSS v3.1 base score of 7.8 HIGH with vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could lead to privilege escalation, denial of service, or information leaks in systems using the btrfs filesystem. The issue affects multiple versions of the Linux kernel, including versions up to 5.10.233, 5.11 to 5.15.176, 5.16 to 6.1.124, 6.2 to 6.6.70, and 6.7 to 6.12.9 (Debian LTS).

The issue has been fixed by adding code to flush the delalloc workers queue before stopping the cleaner kthread during unmount. The fix has been implemented in the Linux kernel and is available through various distribution updates. Users are recommended to upgrade their systems to patched versions (Kernel Patch).