{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47679", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-09-30T16:00:12.939Z", "datePublished": "2024-10-21T11:53:22.469Z", "dateUpdated": "2024-11-08T15:56:10.165Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-08T15:56:10.165Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfs: fix race between evice_inodes() and find_inode()&iput()\n\nHi, all\n\nRecently I noticed a bug[1] in btrfs, after digged it into\nand I believe it'a race in vfs.\n\nLet's assume there's a inode (ie ino 261) with i_count 1 is\ncalled by iput(), and there's a concurrent thread calling\ngeneric_shutdown_super().\n\ncpu0: cpu1:\niput() // i_count is 1\n ->spin_lock(inode)\n ->dec i_count to 0\n ->iput_final() generic_shutdown_super()\n ->__inode_add_lru() ->evict_inodes()\n // cause some reason[2] ->if (atomic_read(inode->i_count)) continue;\n // return before // inode 261 passed the above check\n // list_lru_add_obj() // and then schedule out\n ->spin_unlock()\n// note here: the inode 261\n// was still at sb list and hash list,\n// and I_FREEING|I_WILL_FREE was not been set\n\nbtrfs_iget()\n // after some function calls\n ->find_inode()\n // found the above inode 261\n ->spin_lock(inode)\n // check I_FREEING|I_WILL_FREE\n // and passed\n ->__iget()\n ->spin_unlock(inode) // schedule back\n ->spin_lock(inode)\n // check (I_NEW|I_FREEING|I_WILL_FREE) flags,\n // passed and set I_FREEING\niput() ->spin_unlock(inode)\n ->spin_lock(inode)\t\t\t ->evict()\n // dec i_count to 0\n ->iput_final()\n ->spin_unlock()\n ->evict()\n\nNow, we have two threads simultaneously evicting\nthe same inode, which may trigger the BUG(inode->i_state & I_CLEAR)\nstatement both within clear_inode() and iput().\n\nTo fix the bug, recheck the inode->i_count after holding i_lock.\nBecause in the most scenarios, the first check is valid, and\nthe overhead of spin_lock() can be reduced.\n\nIf there is any misunderstanding, please let me know, thanks.\n\n[1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/\n[2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable()\nreturn false when I reproduced the bug."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/inode.c"], "versions": [{"version": "63997e98a3be", "lessThan": "6cc13a80a26e", "status": "affected", "versionType": "git"}, {"version": "63997e98a3be", "lessThan": "489faddb1ae7", "status": "affected", "versionType": "git"}, {"version": "63997e98a3be", "lessThan": "47a68c75052a", "status": "affected", "versionType": "git"}, {"version": "63997e98a3be", "lessThan": "3721a6940329", "status": "affected", "versionType": "git"}, {"version": "63997e98a3be", "lessThan": "540fb13120c9", "status": "affected", "versionType": "git"}, {"version": "63997e98a3be", "lessThan": "0eed942bc65d", "status": "affected", "versionType": "git"}, {"version": "63997e98a3be", "lessThan": "0f8a5b6d0daf", "status": "affected", "versionType": "git"}, {"version": "63997e98a3be", "lessThan": "6c857fb12b91", "status": "affected", "versionType": "git"}, {"version": "63997e98a3be", "lessThan": "88b1afbf0f6b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/inode.c"], "versions": [{"version": "2.6.37", "status": "affected"}, {"version": "0", "lessThan": "2.6.37", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.323", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.285", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.227", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.168", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.113", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.54", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.10.13", "lessThanOrEqual": "6.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.11.2", "lessThanOrEqual": "6.11.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/6cc13a80a26e6b48f78c725c01b91987d61563ef"}, {"url": "https://git.kernel.org/stable/c/489faddb1ae75b0e1a741fe5ca2542a2b5e794a5"}, {"url": "https://git.kernel.org/stable/c/47a68c75052a660e4c37de41e321582ec9496195"}, {"url": "https://git.kernel.org/stable/c/3721a69403291e2514d13a7c3af50a006ea1153b"}, {"url": "https://git.kernel.org/stable/c/540fb13120c9eab3ef203f90c00c8e69f37449d1"}, {"url": "https://git.kernel.org/stable/c/0eed942bc65de1f93eca7bda51344290f9c573bb"}, {"url": "https://git.kernel.org/stable/c/0f8a5b6d0dafa4f533ac82e98f8b812073a7c9d1"}, {"url": "https://git.kernel.org/stable/c/6c857fb12b9137fee574443385d53914356bbe11"}, {"url": "https://git.kernel.org/stable/c/88b1afbf0f6b221f6c5bb66cc80cd3b38d696687"}], "title": "vfs: fix race between evice_inodes() and find_inode()&iput()", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47679", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-21T13:07:33.659444Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-21T13:14:16.951Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47679", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-21T13:07:33.659444Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-21T13:07:37.060Z"}}], "cna": {"title": "vfs: fix race between evice_inodes() and find_inode()&iput()", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "63997e98a3be", "lessThan": "6cc13a80a26e", "versionType": "git"}, {"status": "affected", "version": "63997e98a3be", "lessThan": "489faddb1ae7", "versionType": "git"}, {"status": "affected", "version": "63997e98a3be", "lessThan": "47a68c75052a", "versionType": "git"}, {"status": "affected", "version": "63997e98a3be", "lessThan": "3721a6940329", "versionType": "git"}, {"status": "affected", "version": "63997e98a3be", "lessThan": "540fb13120c9", "versionType": "git"}, {"status": "affected", "version": "63997e98a3be", "lessThan": "0eed942bc65d", "versionType": "git"}, {"status": "affected", "version": "63997e98a3be", "lessThan": "0f8a5b6d0daf", "versionType": "git"}, {"status": "affected", "version": "63997e98a3be", "lessThan": "6c857fb12b91", "versionType": "git"}, {"status": "affected", "version": "63997e98a3be", "lessThan": "88b1afbf0f6b", "versionType": "git"}], "programFiles": ["fs/inode.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "2.6.37"}, {"status": "unaffected", "version": "0", "lessThan": "2.6.37", "versionType": "semver"}, {"status": "unaffected", "version": "4.19.323", "versionType": "semver", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.285", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.227", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.168", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.113", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.54", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.10.13", "versionType": "semver", "lessThanOrEqual": "6.10.*"}, {"status": "unaffected", "version": "6.11.2", "versionType": "semver", "lessThanOrEqual": "6.11.*"}, {"status": "unaffected", "version": "6.12-rc1", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["fs/inode.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/6cc13a80a26e6b48f78c725c01b91987d61563ef"}, {"url": "https://git.kernel.org/stable/c/489faddb1ae75b0e1a741fe5ca2542a2b5e794a5"}, {"url": "https://git.kernel.org/stable/c/47a68c75052a660e4c37de41e321582ec9496195"}, {"url": "https://git.kernel.org/stable/c/3721a69403291e2514d13a7c3af50a006ea1153b"}, {"url": "https://git.kernel.org/stable/c/540fb13120c9eab3ef203f90c00c8e69f37449d1"}, {"url": "https://git.kernel.org/stable/c/0eed942bc65de1f93eca7bda51344290f9c573bb"}, {"url": "https://git.kernel.org/stable/c/0f8a5b6d0dafa4f533ac82e98f8b812073a7c9d1"}, {"url": "https://git.kernel.org/stable/c/6c857fb12b9137fee574443385d53914356bbe11"}, {"url": "https://git.kernel.org/stable/c/88b1afbf0f6b221f6c5bb66cc80cd3b38d696687"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfs: fix race between evice_inodes() and find_inode()&iput()\n\nHi, all\n\nRecently I noticed a bug[1] in btrfs, after digged it into\nand I believe it'a race in vfs.\n\nLet's assume there's a inode (ie ino 261) with i_count 1 is\ncalled by iput(), and there's a concurrent thread calling\ngeneric_shutdown_super().\n\ncpu0: cpu1:\niput() // i_count is 1\n ->spin_lock(inode)\n ->dec i_count to 0\n ->iput_final() generic_shutdown_super()\n ->__inode_add_lru() ->evict_inodes()\n // cause some reason[2] ->if (atomic_read(inode->i_count)) continue;\n // return before // inode 261 passed the above check\n // list_lru_add_obj() // and then schedule out\n ->spin_unlock()\n// note here: the inode 261\n// was still at sb list and hash list,\n// and I_FREEING|I_WILL_FREE was not been set\n\nbtrfs_iget()\n // after some function calls\n ->find_inode()\n // found the above inode 261\n ->spin_lock(inode)\n // check I_FREEING|I_WILL_FREE\n // and passed\n ->__iget()\n ->spin_unlock(inode) // schedule back\n ->spin_lock(inode)\n // check (I_NEW|I_FREEING|I_WILL_FREE) flags,\n // passed and set I_FREEING\niput() ->spin_unlock(inode)\n ->spin_lock(inode)\t\t\t ->evict()\n // dec i_count to 0\n ->iput_final()\n ->spin_unlock()\n ->evict()\n\nNow, we have two threads simultaneously evicting\nthe same inode, which may trigger the BUG(inode->i_state & I_CLEAR)\nstatement both within clear_inode() and iput().\n\nTo fix the bug, recheck the inode->i_count after holding i_lock.\nBecause in the most scenarios, the first check is valid, and\nthe overhead of spin_lock() can be reduced.\n\nIf there is any misunderstanding, please let me know, thanks.\n\n[1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/\n[2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable()\nreturn false when I reproduced the bug."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-08T15:56:10.165Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47679", "state": "PUBLISHED", "dateUpdated": "2024-11-08T15:56:10.165Z", "dateReserved": "2024-09-30T16:00:12.939Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-10-21T11:53:22.469Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "205A6F87-4258-4528-8078-AC66AD2A7B07", "versionEndExcluding": "5.10.227", "versionStartIncluding": "2.6.37", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4D51C05D-455B-4D8D-89E7-A58E140B864C", "versionEndExcluding": "5.15.168", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D01BD22E-ACD1-4618-9D01-6116570BE1EE", "versionEndExcluding": "6.1.113", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D448821D-C085-4CAF-88FA-2DDE7BE21976", "versionEndExcluding": "6.6.54", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CE94BB8D-B0AB-4563-9ED7-A12122B56EBE", "versionEndExcluding": "6.10.13", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB755D26-97F4-43B6-8604-CD076811E181", "versionEndExcluding": "6.11.2", "versionStartIncluding": "6.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfs: fix race between evice_inodes() and find_inode()&iput()\n\nHi, all\n\nRecently I noticed a bug[1] in btrfs, after digged it into\nand I believe it'a race in vfs.\n\nLet's assume there's a inode (ie ino 261) with i_count 1 is\ncalled by iput(), and there's a concurrent thread calling\ngeneric_shutdown_super().\n\ncpu0: cpu1:\niput() // i_count is 1\n ->spin_lock(inode)\n ->dec i_count to 0\n ->iput_final() generic_shutdown_super()\n ->__inode_add_lru() ->evict_inodes()\n // cause some reason[2] ->if (atomic_read(inode->i_count)) continue;\n // return before // inode 261 passed the above check\n // list_lru_add_obj() // and then schedule out\n ->spin_unlock()\n// note here: the inode 261\n// was still at sb list and hash list,\n// and I_FREEING|I_WILL_FREE was not been set\n\nbtrfs_iget()\n // after some function calls\n ->find_inode()\n // found the above inode 261\n ->spin_lock(inode)\n // check I_FREEING|I_WILL_FREE\n // and passed\n ->__iget()\n ->spin_unlock(inode) // schedule back\n ->spin_lock(inode)\n // check (I_NEW|I_FREEING|I_WILL_FREE) flags,\n // passed and set I_FREEING\niput() ->spin_unlock(inode)\n ->spin_lock(inode)\t\t\t ->evict()\n // dec i_count to 0\n ->iput_final()\n ->spin_unlock()\n ->evict()\n\nNow, we have two threads simultaneously evicting\nthe same inode, which may trigger the BUG(inode->i_state & I_CLEAR)\nstatement both within clear_inode() and iput().\n\nTo fix the bug, recheck the inode->i_count after holding i_lock.\nBecause in the most scenarios, the first check is valid, and\nthe overhead of spin_lock() can be reduced.\n\nIf there is any misunderstanding, please let me know, thanks.\n\n[1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/\n[2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable()\nreturn false when I reproduced the bug."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: vfs: arregla la ejecuci\u00f3n entre evice_inodes() y find_inode()&iput() Hola a todos Recientemente not\u00e9 un error[1] en btrfs, despu\u00e9s de investigarlo y creo que es una ejecuci\u00f3n en vfs. Supongamos que hay un inodo (es decir, ino 261) con i_count 1 que es llamado por iput(), y hay un hilo concurrente que llama a generic_shutdown_super(). cpu0: cpu1: iput() // i_count es 1 ->spin_lock(inode) ->dec i_count a 0 ->iput_final() generic_shutdown_super() ->__inode_add_lru() ->evict_inodes() // por alguna raz\u00f3n[2] ->if (atomic_read(inode->i_count)) continue; // regresar antes // el inodo 261 pas\u00f3 la verificaci\u00f3n anterior // list_lru_add_obj() // y luego programar la salida ->spin_unlock() // nota aqu\u00ed: el inodo 261 // todav\u00eda estaba en la lista sb y la lista hash, // y I_FREEING|I_WILL_FREE no se hab\u00eda establecido btrfs_iget() // despu\u00e9s de algunas llamadas de funci\u00f3n ->find_inode() // encontr\u00f3 el inodo 261 anterior ->spin_lock(inode) // verific\u00f3 I_FREEING|I_WILL_FREE // y pas\u00f3 ->__iget() ->spin_unlock(inode) // program\u00f3 de regreso ->spin_lock(inode) // verific\u00f3 los indicadores (I_NEW|I_FREEING|I_WILL_FREE), // pas\u00f3 y estableci\u00f3 I_FREEING iput() ->spin_unlock(inode) ->spin_lock(inode) ->evict() // dec i_count a 0 ->iput_final() ->spin_unlock() ->evict() Ahora, tenemos dos subprocesos expulsando simult\u00e1neamente el mismo inodo, lo que puede activar la declaraci\u00f3n BUG(inode->i_state & I_CLEAR) tanto dentro de clear_inode() como de iput(). Para corregir el error, vuelva a verificar inode->i_count despu\u00e9s de mantener i_lock. Porque en la mayor\u00eda de los escenarios, la primera verificaci\u00f3n es v\u00e1lida y se puede reducir la sobrecarga de spin_lock(). Si hay alg\u00fan malentendido, h\u00e1gamelo saber, gracias. [1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/ [2]: La raz\u00f3n podr\u00eda ser 1. SB_ACTIVE fue eliminado o 2. mapping_shrinkable() devolvi\u00f3 falso cuando reproduje el error."}], "id": "CVE-2024-47679", "lastModified": "2024-11-08T16:15:24.843", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-10-21T12:15:04.920", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0eed942bc65de1f93eca7bda51344290f9c573bb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0f8a5b6d0dafa4f533ac82e98f8b812073a7c9d1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3721a69403291e2514d13a7c3af50a006ea1153b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/47a68c75052a660e4c37de41e321582ec9496195"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/489faddb1ae75b0e1a741fe5ca2542a2b5e794a5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/540fb13120c9eab3ef203f90c00c8e69f37449d1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6c857fb12b9137fee574443385d53914356bbe11"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6cc13a80a26e6b48f78c725c01b91987d61563ef"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/88b1afbf0f6b221f6c5bb66cc80cd3b38d696687"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: vfs: fix race between evice_inodes() and find_inode()&iput()", "id": "2320172", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2320172"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nvfs: fix race between evice_inodes() and find_inode()&iput()\nHi, all\nRecently I noticed a bug[1] in btrfs, after digged it into\nand I believe it'a race in vfs.\nLet's assume there's a inode (ie ino 261) with i_count 1 is\ncalled by iput(), and there's a concurrent thread calling\ngeneric_shutdown_super().\ncpu0: cpu1:\niput() // i_count is 1\n->spin_lock(inode)\n->dec i_count to 0\n->iput_final() generic_shutdown_super()\n->__inode_add_lru() ->evict_inodes()\n// cause some reason[2] ->if (atomic_read(inode->i_count)) continue;\n// return before // inode 261 passed the above check\n// list_lru_add_obj() // and then schedule out\n->spin_unlock()\n// note here: the inode 261\n// was still at sb list and hash list,\n// and I_FREEING|I_WILL_FREE was not been set\nbtrfs_iget()\n// after some function calls\n->find_inode()\n// found the above inode 261\n->spin_lock(inode)\n// check I_FREEING|I_WILL_FREE\n// and passed\n->__iget()\n->spin_unlock(inode) // schedule back\n->spin_lock(inode)\n// check (I_NEW|I_FREEING|I_WILL_FREE) flags,\n// passed and set I_FREEING\niput() ->spin_unlock(inode)\n->spin_lock(inode) ->evict()\n// dec i_count to 0\n->iput_final()\n->spin_unlock()\n->evict()\nNow, we have two threads simultaneously evicting\nthe same inode, which may trigger the BUG(inode->i_state & I_CLEAR)\nstatement both within clear_inode() and iput().\nTo fix the bug, recheck the inode->i_count after holding i_lock.\nBecause in the most scenarios, the first check is valid, and\nthe overhead of spin_lock() can be reduced.\nIf there is any misunderstanding, please let me know, thanks.\n[1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/\n[2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable()\nreturn false when I reproduced the bug."], "name": "CVE-2024-47679", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-10-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-47679\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47679\nhttps://lore.kernel.org/linux-cve-announce/2024102106-CVE-2024-47679-e793@gregkh/T"], "threat_severity": "Moderate"}