In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and then making a syncfs system call can lead to a use-after-free in __mutex_lock in kernel/locking/mutex.c. This is related to mutex_can_spin_on_owner in kernel/locking/mutex.c, __btrfs_qgroup_free_meta in fs/btrfs/qgroup.c, and btrfs_insert_delayed_items in fs/btrfs/delayed-inode.c. Reference: https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19813
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1784913]
For Rhel8 the BTRFS not being used ("CONFIG_BTRFS_FS is not set"), so bug not actual for Rhel8. Before Rhel8 this bug was not actual, because function mutex_can_spin_on_owner(..) was different: the code in Rhel7 didn't contain "owner = __mutex_owner(lock)" yet and the bug is because of this line of code and then check "owner->on_cpu" where owner could be already freed even it was not NULL a moment before; also __mutex_owner(..) could return NULL by design and should not be called directly; for more details regarding __mutex_owner(..), see https://github.com/torvalds/linux/blob/master/kernel/locking/mutex.c , and example of usage in func mutex_is_locked(..). The provided info above could be used to develop patch (since I didn't find ready to use patch).
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19813
This was fixed for Fedora with the 5.2 kernel rebases.