CVE-2024-47679
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
vfs: fix race between evice_inodes() and find_inode()&iput()
Hi, all
Recently I noticed a bug1 in btrfs, after digged it into and I believe it'a race in vfs.
Let's assume there's a inode (ie ino 261) with i_count 1 is called by iput(), and there's a concurrent thread calling generic_shutdown_super().
cpu0: cpu1: iput() // i_count is 1 ->spin_lock(inode) ->dec i_count to 0 ->iput_final() generic_shutdown_super() ->__inode_add_lru() ->evict_inodes() // cause some reason[2] ->if (atomic_read(inode->i_count)) continue; // return before // inode 261 passed the above check // list_lru_add_obj() // and then schedule out ->spin_unlock() // note here: the inode 261 // was still at sb list and hash list, // and I_FREEING|I_WILL_FREE was not been set
btrfs_iget() // after some function calls ->find_inode() // found the above inode 261 ->spin_lock(inode) // check I_FREEING|I_WILL_FREE // and passed ->__iget() ->spin_unlock(inode) // schedule back ->spin_lock(inode) // check (I_NEW|I_FREEING|I_WILL_FREE) flags, // passed and set I_FREEING iput() ->spin_unlock(inode) ->spin_lock(inode) ->evict() // dec i_count to 0 ->iput_final() ->spin_unlock() ->evict()
Now, we have two threads simultaneously evicting the same inode, which may trigger the BUG(inode->i_state & I_CLEAR) statement both within clear_inode() and iput().
To fix the bug, recheck the inode->i_count after holding i_lock. Because in the most scenarios, the first check is valid, and the overhead of spin_lock() can be reduced.
If there is any misunderstanding, please let me know, thanks.
[2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable() return false when I reproduced the bug.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 63997e98a3be68d7cec806d22bf9b02b2e1daabb < 6cc13a80a26e6b48f78c725c01b91987d61563ef | affected |
| Linux | Linux | 63997e98a3be68d7cec806d22bf9b02b2e1daabb < 489faddb1ae75b0e1a741fe5ca2542a2b5e794a5 | affected |
| Linux | Linux | 63997e98a3be68d7cec806d22bf9b02b2e1daabb < 47a68c75052a660e4c37de41e321582ec9496195 | affected |
| Linux | Linux | 63997e98a3be68d7cec806d22bf9b02b2e1daabb < 3721a69403291e2514d13a7c3af50a006ea1153b | affected |
| Linux | Linux | 63997e98a3be68d7cec806d22bf9b02b2e1daabb < 540fb13120c9eab3ef203f90c00c8e69f37449d1 | affected |
| Linux | Linux | 63997e98a3be68d7cec806d22bf9b02b2e1daabb < 0eed942bc65de1f93eca7bda51344290f9c573bb | affected |
| Linux | Linux | 63997e98a3be68d7cec806d22bf9b02b2e1daabb < 0f8a5b6d0dafa4f533ac82e98f8b812073a7c9d1 | affected |
| Linux | Linux | 63997e98a3be68d7cec806d22bf9b02b2e1daabb < 6c857fb12b9137fee574443385d53914356bbe11 | affected |
| Linux | Linux | 63997e98a3be68d7cec806d22bf9b02b2e1daabb < 88b1afbf0f6b221f6c5bb66cc80cd3b38d696687 | affected |
| Linux | Linux | 2.6.37 | affected |
| Linux | Linux | 0 < 2.6.37 | unaffected |
| Linux | Linux | 4.19.323 <= 4.19.* | unaffected |
| Linux | Linux | 5.4.285 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.227 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.168 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.113 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.54 <= 6.6.* | unaffected |
| Linux | Linux | 6.10.13 <= 6.10.* | unaffected |
| Linux | Linux | 6.11.2 <= 6.11.* | unaffected |
| Linux | Linux | 6.12 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
References
- https://git.kernel.org/stable/c/6cc13a80a26e6b48f78c725c01b91987d61563ef
- https://git.kernel.org/stable/c/489faddb1ae75b0e1a741fe5ca2542a2b5e794a5
- https://git.kernel.org/stable/c/47a68c75052a660e4c37de41e321582ec9496195
- https://git.kernel.org/stable/c/3721a69403291e2514d13a7c3af50a006ea1153b
- https://git.kernel.org/stable/c/540fb13120c9eab3ef203f90c00c8e69f37449d1
- https://git.kernel.org/stable/c/0eed942bc65de1f93eca7bda51344290f9c573bb
- https://git.kernel.org/stable/c/0f8a5b6d0dafa4f533ac82e98f8b812073a7c9d1
- https://git.kernel.org/stable/c/6c857fb12b9137fee574443385d53914356bbe11
- https://git.kernel.org/stable/c/88b1afbf0f6b221f6c5bb66cc80cd3b38d696687
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.