CVE-2024-53221: f2fs: fix null-ptr-deref in f2fs_submit_page_bio()
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix null-ptr-deref in f2fs_submit_page_bio()
There's issue as follows when concurrently installing the f2fs.ko
module and mounting the f2fs file system:
KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
RIP: 0010:__bio_alloc+0x2fb/0x6c0 [f2fs]
Call Trace:
<TASK>
f2fs_submit_page_bio+0x126/0x8b0 [f2fs]
__get_meta_page+0x1d4/0x920 [f2fs]
get_checkpoint_version.constprop.0+0x2b/0x3c0 [f2fs]
validate_checkpoint+0xac/0x290 [f2fs]
f2fs_get_valid_checkpoint+0x207/0x950 [f2fs]
f2fs_fill_super+0x1007/0x39b0 [f2fs]
mount_bdev+0x183/0x250
legacy_get_tree+0xf4/0x1e0
vfs_get_tree+0x88/0x340
do_new_mount+0x283/0x5e0
path_mount+0x2b2/0x15b0
__x64_sys_mount+0x1fe/0x270
do_syscall_64+0x5f/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Above issue happens as the biset of the f2fs file system is not
initialized before register "f2fs_fs_type".
To address above issue just register "f2fs_fs_type" at the last in
init_f2fs_fs(). Ensure that all f2fs file system resources are
initialized.
Security readout for executives and security teams
Plain-English summary
CVE-2024-53221 is a Linux kernel f2fs bug that can trigger a null pointer dereference during a race between loading the f2fs module and mounting an f2fs filesystem. The practical concern is system instability or denial of service on systems where f2fs is present and mount operations are possible.
Executive priority
Treat this as a stability and local denial-of-service risk, not a confirmed remote compromise issue. Patch through normal kernel maintenance, with higher priority for devices or servers that use f2fs or process untrusted removable storage.
Technical view
The flaw is in f2fs initialization order. f2fs_fs_type was registered before all f2fs resources, including the bioset, were initialized. A concurrent mount can reach f2fs_submit_page_bio(), then __bio_alloc(), before initialization completes, causing a null pointer dereference.
Likely exposure
Exposure is most relevant to Linux systems using or allowing f2fs, especially where f2fs.ko can be loaded and f2fs filesystems can be mounted. The bundle does not prove remote exposure. Mounting and module loading are typically privileged or capability-gated operations.
Exploitation context
The provided sources describe a concurrency-triggered crash condition and mark KEV as false. There is no cited evidence of active exploitation, public weaponization, or remote attack paths in the supplied bundle.
Researcher notes
The root cause is initialization ordering in init_f2fs_fs(), fixed by registering f2fs_fs_type last after resources are initialized. Evidence is limited to kernel/CVE records; no CVSS, CWE, exploit confirmation, or complete distro-specific affected matrix is provided.
Mitigation direction
Update to a vendor kernel containing the referenced f2fs stable fixes.
Prioritize systems that use f2fs or allow removable f2fs media mounts.
Check distribution advisories for exact fixed package versions.
Restrict untrusted users from mounting filesystems where policy allows.
Review kernel module loading controls for f2fs on systems that do not need it.
Validation and detection
Inventory kernel versions against vendor advisories and referenced stable commits.
Identify hosts with f2fs enabled, loaded, or used in storage workflows.
Review crash logs for f2fs null pointer dereference traces.
Confirm patched kernels register f2fs only after required resources initialize.
Validate exposure assumptions around local mount permissions and module loading.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2024-53221 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
7Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Dec 27, 2024, 13:50 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.