CVE-2024-50280 in Linux
Summary
by MITRE • 11/19/2024
In the Linux kernel, the following vulnerability has been resolved:
dm cache: fix flushing uninitialized delayed_work on cache_ctr error
An unexpected WARN_ON from flush_work() may occur when cache creation fails, caused by destroying the uninitialized delayed_work waker in the error path of cache_create(). For example, the warning appears on the superblock checksum error.
Reproduce steps:
dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 65536 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc 262144" dd if=/dev/urandom of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
Kernel logs:
(snip) WARNING: CPU: 0 PID: 84 at kernel/workqueue.c:4178 __flush_work+0x5d4/0x890
Fix by pulling out the cancel_delayed_work_sync() from the constructor's error path. This patch doesn't affect the use-after-free fix for concurrent dm_resume and dm_destroy (commit 6a459d8edbdb ("dm cache: Fix UAF in destroy()")) as cache_dtr is not changed.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/16/2025
The vulnerability described in CVE-2024-50280 resides within the Linux device mapper cache subsystem, specifically affecting the dm-cache module's handling of work queue management during cache creation failures. This issue manifests as an unexpected kernel warning when the cache creation process encounters an error condition, particularly when dealing with metadata checksum validation failures. The root cause stems from improper cleanup of uninitialized delayed work structures during error paths in the cache creation routine, creating a scenario where kernel debugging assertions fail and potentially disrupt system stability. The vulnerability impacts the device mapper's ability to gracefully handle initialization failures while maintaining proper resource cleanup semantics.
The technical flaw occurs in the cache_ctr function where the delayed_work structure remains uninitialized when cache creation fails, yet the error path attempts to cancel this work structure using cancel_delayed_work_sync(). This premature cancellation of an uninitialized work queue element triggers a kernel warning in the flush_work() function located at kernel/workqueue.c line 4178. The warning originates from the __flush_work function which validates work structure integrity before processing, and the uninitialized delayed_work structure fails these validation checks. The specific error path involves the dmsetup command sequence that creates cache mappings with metadata and data devices, where the metadata2 mode triggers the problematic code path when checksum validation fails during the cache creation process.
The operational impact of this vulnerability extends beyond simple kernel warnings to potentially destabilizing system operations in environments utilizing device mapper caching. When the cache creation fails due to metadata errors, the improper cleanup can cause kernel oops conditions or system hangs during cleanup operations, particularly in high-availability or storage-intensive environments where cache operations are frequent. The vulnerability affects systems running Linux kernels that include the specific patch series addressing concurrent dm_resume and dm_destroy operations, as the fix maintains compatibility with existing UAF prevention mechanisms while addressing the uninitialized work structure issue. This creates a potential denial of service scenario where cache creation failures can cascade into system instability, especially in automated storage management scenarios.
Mitigation strategies should focus on applying the kernel patch that removes the cancel_delayed_work_sync() call from the error path of cache creation, ensuring that work structures are only canceled when properly initialized. System administrators should prioritize updating to kernel versions containing the fix, particularly in production environments where device mapper caching is actively used. The fix maintains backward compatibility with existing UAF protection mechanisms while preventing the premature work structure cleanup that causes the warning condition. Monitoring for kernel warnings related to workqueue operations during cache creation failures should be implemented as part of system health checks, as these warnings may indicate potential resource leak conditions or system instability. Organizations should also consider implementing proper error handling procedures for cache creation operations to minimize exposure to this vulnerability during normal operations.
This vulnerability aligns with CWE-457: Use of Uninitialized Variable, which specifically addresses scenarios where uninitialized variables are used in operations that require proper initialization. The issue also relates to ATT&CK technique T1490: Inhibit System Recovery, as improper cleanup during error conditions can lead to system instability and reduced availability. The device mapper cache subsystem represents a critical component in Linux storage architectures, making this vulnerability particularly concerning for enterprise storage environments where reliability and predictable operation are paramount. The fix demonstrates proper resource management principles by ensuring that cleanup operations only occur on properly initialized structures, preventing the cascade of errors that can occur when uninitialized resources are improperly handled.