{ "threat_severity" : "Moderate", "public_date" : "2024-10-21T00:00:00Z", "bugzilla" : { "description" : "kernel: vfs: fix race between evice_inodes() and find_inode()&iput()", "id" : "2320172", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2320172" }, "cvss3" : { "cvss3_base_score" : "4.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-362", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nvfs: fix race between evice_inodes() and find_inode()&iput()\nHi, all\nRecently I noticed a bug[1] in btrfs, after digged it into\nand I believe it'a race in vfs.\nLet's assume there's a inode (ie ino 261) with i_count 1 is\ncalled by iput(), and there's a concurrent thread calling\ngeneric_shutdown_super().\ncpu0: cpu1:\niput() // i_count is 1\n->spin_lock(inode)\n->dec i_count to 0\n->iput_final() generic_shutdown_super()\n->__inode_add_lru() ->evict_inodes()\n// cause some reason[2] ->if (atomic_read(inode->i_count)) continue;\n// return before // inode 261 passed the above check\n// list_lru_add_obj() // and then schedule out\n->spin_unlock()\n// note here: the inode 261\n// was still at sb list and hash list,\n// and I_FREEING|I_WILL_FREE was not been set\nbtrfs_iget()\n// after some function calls\n->find_inode()\n// found the above inode 261\n->spin_lock(inode)\n// check I_FREEING|I_WILL_FREE\n// and passed\n->__iget()\n->spin_unlock(inode) // schedule back\n->spin_lock(inode)\n// check (I_NEW|I_FREEING|I_WILL_FREE) flags,\n// passed and set I_FREEING\niput() ->spin_unlock(inode)\n->spin_lock(inode) ->evict()\n// dec i_count to 0\n->iput_final()\n->spin_unlock()\n->evict()\nNow, we have two threads simultaneously evicting\nthe same inode, which may trigger the BUG(inode->i_state & I_CLEAR)\nstatement both within clear_inode() and iput().\nTo fix the bug, recheck the inode->i_count after holding i_lock.\nBecause in the most scenarios, the first check is valid, and\nthe overhead of spin_lock() can be reduced.\nIf there is any misunderstanding, please let me know, thanks.\n[1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/\n[2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable()\nreturn false when I reproduced the bug." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:20518", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.5.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:20518", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.5.1.el9_7" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-47679\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47679\nhttps://lore.kernel.org/linux-cve-announce/2024102106-CVE-2024-47679-e793@gregkh/T" ], "name" : "CVE-2024-47679", "csaw" : false }