CVE - CVE-2024-47679

CVE-ID
CVE-2024-47679	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
In the Linux kernel, the following vulnerability has been resolved: vfs: fix race between evice_inodes() and find_inode()&iput() Hi, all Recently I noticed a bug[1] in btrfs, after digged it into and I believe it'a race in vfs. Let's assume there's a inode (ie ino 261) with i_count 1 is called by iput(), and there's a concurrent thread calling generic_shutdown_super(). cpu0: cpu1: iput() // i_count is 1 ->spin_lock(inode) ->dec i_count to 0 ->iput_final() generic_shutdown_super() ->__inode_add_lru() ->evict_inodes() // cause some reason[2] ->if (atomic_read(inode->i_count)) continue; // return before // inode 261 passed the above check // list_lru_add_obj() // and then schedule out ->spin_unlock() // note here: the inode 261 // was still at sb list and hash list, // and I_FREEING\|I_WILL_FREE was not been set btrfs_iget() // after some function calls ->find_inode() // found the above inode 261 ->spin_lock(inode) // check I_FREEING\|I_WILL_FREE // and passed ->__iget() ->spin_unlock(inode) // schedule back ->spin_lock(inode) // check (I_NEW\|I_FREEING\|I_WILL_FREE) flags, // passed and set I_FREEING iput() ->spin_unlock(inode) ->spin_lock(inode) ->evict() // dec i_count to 0 ->iput_final() ->spin_unlock() ->evict() Now, we have two threads simultaneously evicting the same inode, which may trigger the BUG(inode->i_state & I_CLEAR) statement both within clear_inode() and iput(). To fix the bug, recheck the inode->i_count after holding i_lock. Because in the most scenarios, the first check is valid, and the overhead of spin_lock() can be reduced. If there is any misunderstanding, please let me know, thanks. [1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/ [2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable() return false when I reproduced the bug.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://git.kernel.org/stable/c/0eed942bc65de1f93eca7bda51344290f9c573bb URL:https://git.kernel.org/stable/c/0eed942bc65de1f93eca7bda51344290f9c573bb MISC:https://git.kernel.org/stable/c/0f8a5b6d0dafa4f533ac82e98f8b812073a7c9d1 URL:https://git.kernel.org/stable/c/0f8a5b6d0dafa4f533ac82e98f8b812073a7c9d1 MISC:https://git.kernel.org/stable/c/3721a69403291e2514d13a7c3af50a006ea1153b URL:https://git.kernel.org/stable/c/3721a69403291e2514d13a7c3af50a006ea1153b MISC:https://git.kernel.org/stable/c/47a68c75052a660e4c37de41e321582ec9496195 URL:https://git.kernel.org/stable/c/47a68c75052a660e4c37de41e321582ec9496195 MISC:https://git.kernel.org/stable/c/540fb13120c9eab3ef203f90c00c8e69f37449d1 URL:https://git.kernel.org/stable/c/540fb13120c9eab3ef203f90c00c8e69f37449d1 MISC:https://git.kernel.org/stable/c/6c857fb12b9137fee574443385d53914356bbe11 URL:https://git.kernel.org/stable/c/6c857fb12b9137fee574443385d53914356bbe11 MISC:https://git.kernel.org/stable/c/88b1afbf0f6b221f6c5bb66cc80cd3b38d696687 URL:https://git.kernel.org/stable/c/88b1afbf0f6b221f6c5bb66cc80cd3b38d696687
Assigning CNA
kernel.org
Date Record Created
20240930	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20240930)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)