CVE-2024-53176 in Linux
Summary
by MITRE • 12/27/2024
In the Linux kernel, the following vulnerability has been resolved:
smb: During unmount, ensure all cached dir instances drop their dentry
The unmount process (cifs_kill_sb() calling close_all_cached_dirs()) can race with various cached directory operations, which ultimately results in dentries not being dropped and these kernel BUGs:
BUG: Dentry ffff88814f37e358{i=1000000000080,n=/} still in use (2) [unmount of cifs cifs]
VFS: Busy inodes after unmount of cifs (cifs) ------------[ cut here ]------------
kernel BUG at fs/super.c:661!
This happens when a cfid is in the process of being cleaned up when, and has been removed from the cfids->entries list, including:
- Receiving a lease break from the server - Server reconnection triggers invalidate_all_cached_dirs(), which removes all the cfids from the list - The laundromat thread decides to expire an old cfid.
To solve these problems, dropping the dentry is done in queued work done in a newly-added cfid_put_wq workqueue, and close_all_cached_dirs() flushes that workqueue after it drops all the dentries of which it's aware. This is a global workqueue (rather than scoped to a mount), but the queued work is minimal.
The final cleanup work for cleaning up a cfid is performed via work queued in the serverclose_wq workqueue; this is done separate from dropping the dentries so that close_all_cached_dirs() doesn't block on any server operations.
Both of these queued works expect to invoked with a cfid reference and a tcon reference to avoid those objects from being freed while the work is ongoing.
While we're here, add proper locking to close_all_cached_dirs(), and locking around the freeing of cfid->dentry.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/14/2025
The vulnerability CVE-2024-53176 represents a critical race condition within the Linux kernel's CIFS (Common Internet File System) implementation that occurs during filesystem unmount operations. This issue specifically affects the handling of cached directory instances and demonstrates a fundamental flaw in the synchronization mechanisms governing kernel memory management during resource cleanup. The vulnerability stems from improper coordination between the unmount process and active directory operations, creating a scenario where dentries remain in use even after the filesystem has been marked for removal, ultimately leading to kernel BUGs and system instability.
The technical root cause involves a race condition between the cifs_kill_sb() function and various cached directory operations that execute concurrently during unmount procedures. When the unmount process attempts to clean up cached directory entries through close_all_cached_dirs(), it can collide with ongoing directory operations that are still referencing these cached structures. The vulnerability manifests when a cfid (connection file identifier) is in the process of being cleaned up while simultaneously being removed from the cfids->entries list through multiple pathways including lease break notifications from servers, server reconnection events that trigger invalidate_all_cached_dirs(), or automatic expiration by the laundromat thread. This concurrent access pattern results in dentries that should be dropped remaining in use, causing kernel panics with messages indicating "Dentry still in use" and "Busy inodes after unmount."
The exploitation of this vulnerability can lead to severe operational impacts including system crashes, kernel oops, and complete system lockups that require manual rebooting. The race condition creates a state where the kernel's virtual filesystem layer cannot properly manage the lifecycle of cached directory entries, leading to memory leaks and resource exhaustion. From a cybersecurity perspective, this vulnerability represents a denial-of-service risk that could be exploited by malicious actors to disrupt services or potentially escalate privileges through kernel memory corruption. The issue aligns with CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and maps to ATT&CK technique T1059.001 (Command and Scripting Interpreter: PowerShell) when considering the potential for privilege escalation through kernel exploitation, though the primary risk remains system stability and availability.
The resolution implemented addresses this vulnerability through a comprehensive redesign of the cleanup process using kernel workqueues to ensure proper ordering and synchronization. The fix introduces a new cfid_put_wq workqueue specifically designed to handle dentry dropping operations, while maintaining a separate serverclose_wq workqueue for the final cleanup tasks. This approach ensures that directory entry cleanup occurs asynchronously and independently from the main unmount process, preventing blocking operations that could lead to deadlocks. The solution requires that all queued work be executed with proper reference counting for both cfid and tcon objects, preventing premature deallocation during cleanup operations. Additionally, the implementation includes proper locking mechanisms around the close_all_cached_dirs() function and the freeing of cfid->dentry structures, establishing a robust synchronization framework that prevents the concurrent access patterns that originally caused the race condition. The use of a global workqueue rather than mount-scoped queues maintains consistency while keeping the queued work minimal, ensuring that the fix does not introduce performance degradation while effectively resolving the synchronization issues that led to the kernel BUGs and system instability.