CVE-2024-47679
Severity CVSS v4.0:
Pending analysis
Type:
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Publication date:
21/10/2024
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
vfs: fix race between evice_inodes() and find_inode()&iput()<br />
<br />
Hi, all<br />
<br />
Recently I noticed a bug[1] in btrfs, after digged it into<br />
and I believe it&#39;a race in vfs.<br />
<br />
Let&#39;s assume there&#39;s a inode (ie ino 261) with i_count 1 is<br />
called by iput(), and there&#39;s a concurrent thread calling<br />
generic_shutdown_super().<br />
<br />
cpu0: cpu1:<br />
iput() // i_count is 1<br />
->spin_lock(inode)<br />
->dec i_count to 0<br />
->iput_final() generic_shutdown_super()<br />
->__inode_add_lru() ->evict_inodes()<br />
// cause some reason[2] ->if (atomic_read(inode->i_count)) continue;<br />
// return before // inode 261 passed the above check<br />
// list_lru_add_obj() // and then schedule out<br />
->spin_unlock()<br />
// note here: the inode 261<br />
// was still at sb list and hash list,<br />
// and I_FREEING|I_WILL_FREE was not been set<br />
<br />
btrfs_iget()<br />
// after some function calls<br />
->find_inode()<br />
// found the above inode 261<br />
->spin_lock(inode)<br />
// check I_FREEING|I_WILL_FREE<br />
// and passed<br />
->__iget()<br />
->spin_unlock(inode) // schedule back<br />
->spin_lock(inode)<br />
// check (I_NEW|I_FREEING|I_WILL_FREE) flags,<br />
// passed and set I_FREEING<br />
iput() ->spin_unlock(inode)<br />
->spin_lock(inode) ->evict()<br />
// dec i_count to 0<br />
->iput_final()<br />
->spin_unlock()<br />
->evict()<br />
<br />
Now, we have two threads simultaneously evicting<br />
the same inode, which may trigger the BUG(inode->i_state & I_CLEAR)<br />
statement both within clear_inode() and iput().<br />
<br />
To fix the bug, recheck the inode->i_count after holding i_lock.<br />
Because in the most scenarios, the first check is valid, and<br />
the overhead of spin_lock() can be reduced.<br />
<br />
If there is any misunderstanding, please let me know, thanks.<br />
<br />
[1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/<br />
[2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable()<br />
return false when I reproduced the bug.
Impact
Base Score 3.x
4.70
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 2.6.37 (including) | 5.10.227 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.168 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.113 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.54 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.10.13 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.11 (including) | 6.11.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0eed942bc65de1f93eca7bda51344290f9c573bb
- https://git.kernel.org/stable/c/0f8a5b6d0dafa4f533ac82e98f8b812073a7c9d1
- https://git.kernel.org/stable/c/3721a69403291e2514d13a7c3af50a006ea1153b
- https://git.kernel.org/stable/c/47a68c75052a660e4c37de41e321582ec9496195
- https://git.kernel.org/stable/c/489faddb1ae75b0e1a741fe5ca2542a2b5e794a5
- https://git.kernel.org/stable/c/540fb13120c9eab3ef203f90c00c8e69f37449d1
- https://git.kernel.org/stable/c/6c857fb12b9137fee574443385d53914356bbe11
- https://git.kernel.org/stable/c/6cc13a80a26e6b48f78c725c01b91987d61563ef
- https://git.kernel.org/stable/c/88b1afbf0f6b221f6c5bb66cc80cd3b38d696687
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html