CVE-2024-53218 in Linux
Summary
by MITRE • 12/27/2024
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix race in concurrent f2fs_stop_gc_thread
In my test case, concurrent calls to f2fs shutdown report the following stack trace:
Oops: general protection fault, probably for non-canonical address 0xc6cfff63bb5513fc: 0000 [#1] PREEMPT SMP PTI
CPU: 0 UID: 0 PID: 678 Comm: f2fs_rep_shutdo Not tainted 6.12.0-rc5-next-20241029-g6fb2fa9805c5-dirty #85 Call Trace: ? show_regs+0x8b/0xa0 ? __die_body+0x26/0xa0 ? die_addr+0x54/0x90 ? exc_general_protection+0x24b/0x5c0 ? asm_exc_general_protection+0x26/0x30 ? kthread_stop+0x46/0x390 f2fs_stop_gc_thread+0x6c/0x110 f2fs_do_shutdown+0x309/0x3a0 f2fs_ioc_shutdown+0x150/0x1c0 __f2fs_ioctl+0xffd/0x2ac0 f2fs_ioctl+0x76/0xe0 vfs_ioctl+0x23/0x60 __x64_sys_ioctl+0xce/0xf0 x64_sys_call+0x2b1b/0x4540 do_syscall_64+0xa7/0x240 entry_SYSCALL_64_after_hwframe+0x76/0x7e
The root cause is a race condition in f2fs_stop_gc_thread() called from different f2fs shutdown paths:
[CPU0] [CPU1]
---------------------- ----------------------- f2fs_stop_gc_thread f2fs_stop_gc_thread gc_th = sbi->gc_thread gc_th = sbi->gc_thread kfree(gc_th) sbi->gc_thread = NULL kthread_stop(gc_th->f2fs_gc_task) //UAF
The commit c7f114d864ac ("f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()") attempted to fix this issue by using a read semaphore to prevent races between shutdown and remount threads, but it fails to prevent all race conditions.
Fix it by converting to write lock of s_umount in f2fs_do_shutdown().
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/15/2025
The vulnerability CVE-2024-53218 represents a critical race condition in the Linux kernel's f2fs (Flash-Friendly File System) implementation that can lead to use-after-free conditions during concurrent shutdown operations. This issue manifests when multiple threads attempt to stop the garbage collection thread simultaneously, creating a scenario where memory access occurs after the associated structure has been freed, potentially resulting in system instability or privilege escalation. The vulnerability specifically affects the f2fs_stop_gc_thread function which is invoked from various shutdown paths within the file system driver.
The technical flaw stems from insufficient synchronization mechanisms during the shutdown process of f2fs filesystems. When concurrent calls to f2fs shutdown occur, the race condition allows one thread to free the garbage collection thread structure while another thread attempts to operate on the same freed memory. The stack trace reveals a general protection fault occurring at f2fs_stop_gc_thread where the kernel attempts to access a non-canonical address, indicating that the memory location has already been deallocated. The specific sequence shows that CPU0 retrieves the gc_thread pointer and frees it, while CPU1 attempts to call kthread_stop on the same freed thread structure, creating a classic use-after-free scenario classified under CWE-416.
This vulnerability directly impacts system stability and security by potentially allowing malicious actors to exploit the race condition for privilege escalation or denial-of-service attacks. The operational impact extends beyond simple system crashes as the use-after-free condition can be leveraged to execute arbitrary code in kernel space, particularly when combined with other exploitation techniques. The vulnerability affects systems running Linux kernels with f2fs filesystem support, particularly those utilizing concurrent shutdown operations or remount scenarios that trigger the problematic code path. Attackers could exploit this by creating race conditions through rapid shutdown and remount operations, potentially leading to complete system compromise.
The mitigation strategy involves converting the synchronization mechanism from read semaphore to write lock of s_umount within the f2fs_do_shutdown function as implemented in the fix. This approach ensures exclusive access during the shutdown process, preventing concurrent access to the garbage collection thread structure that would otherwise lead to the use-after-free condition. The solution aligns with ATT&CK technique T1068 by addressing a kernel-level privilege escalation vector, while also following security best practices for concurrent access control. Organizations should apply the kernel patch immediately and monitor systems for any signs of exploitation attempts, particularly in environments where f2fs filesystems are actively used with concurrent shutdown operations or where rapid remount scenarios are common. The fix addresses the root cause by ensuring proper mutual exclusion during critical shutdown operations, eliminating the race condition that enabled the use-after-free vulnerability.