{"id":"CVE-2024-57892","summary":"ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix slab-use-after-free due to dangling pointer dqi_priv\n\nWhen mounting ocfs2 and then remounting it as read-only, a\nslab-use-after-free occurs after the user uses a syscall to\nquota_getnextquota.  Specifically, sb_dqinfo(sb, type)-\u003edqi_priv is the\ndangling pointer.\n\nDuring the remounting process, the pointer dqi_priv is freed but is never\nset as null leaving it to be accessed.  Additionally, the read-only option\nfor remounting sets the DQUOT_SUSPENDED flag instead of setting the\nDQUOT_USAGE_ENABLED flags.  Moreover, later in the process of getting the\nnext quota, the function ocfs2_get_next_id is called and only checks the\nquota usage flags and not the quota suspended flags.\n\nTo fix this, I set dqi_priv to null when it is freed after remounting with\nread-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id.\n\n[akpm@linux-foundation.org: coding-style cleanups]","modified":"2026-04-02T12:25:21.192615Z","published":"2025-01-15T13:05:44.635Z","related":["MGASA-2025-0030","MGASA-2025-0032","SUSE-SU-2025:0236-1","SUSE-SU-2025:0289-1","SUSE-SU-2025:0428-1","SUSE-SU-2025:0499-1","SUSE-SU-2025:0557-1","SUSE-SU-2025:20165-1","SUSE-SU-2025:20166-1","SUSE-SU-2025:20248-1","SUSE-SU-2025:20249-1","USN-7379-2","USN-7380-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/57xxx/CVE-2024-57892.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2d431192486367eee03cc28d0b53b97dafcb8e63"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2e3d203b1adede46bbba049e497765d67865be18"},{"type":"WEB","url":"https://git.kernel.org/stable/c/58f9e20e2a7602e1dd649a1ec4790077c251cb6c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5f3fd772d152229d94602bca243fbb658068a597"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8ff6f635a08c30559ded0c110c7ce03ba7747d11"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ba950a02d8d23811aa1120affd3adedcfac6153d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f44e6d70c100614c211703f065cad448050e4a0e"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/57xxx/CVE-2024-57892.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-57892"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"8f9e8f5fcc059a3cba87ce837c88316797ef3645"},{"fixed":"58f9e20e2a7602e1dd649a1ec4790077c251cb6c"},{"fixed":"8ff6f635a08c30559ded0c110c7ce03ba7747d11"},{"fixed":"f44e6d70c100614c211703f065cad448050e4a0e"},{"fixed":"2d431192486367eee03cc28d0b53b97dafcb8e63"},{"fixed":"2e3d203b1adede46bbba049e497765d67865be18"},{"fixed":"ba950a02d8d23811aa1120affd3adedcfac6153d"},{"fixed":"5f3fd772d152229d94602bca243fbb658068a597"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-57892.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}