ghsa-9p2r-69c4-v82v
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
vfs: fix race between evice_inodes() and find_inode()&iput()
Hi, all
Recently I noticed a bug1 in btrfs, after digged it into and I believe it'a race in vfs.
Let's assume there's a inode (ie ino 261) with i_count 1 is called by iput(), and there's a concurrent thread calling generic_shutdown_super().
cpu0: cpu1: iput() // i_count is 1 ->spin_lock(inode) ->dec i_count to 0 ->iput_final() generic_shutdown_super() ->__inode_add_lru() ->evict_inodes() // cause some reason[2] ->if (atomic_read(inode->i_count)) continue; // return before // inode 261 passed the above check // list_lru_add_obj() // and then schedule out ->spin_unlock() // note here: the inode 261 // was still at sb list and hash list, // and I_FREEING|I_WILL_FREE was not been set
btrfs_iget() // after some function calls ->find_inode() // found the above inode 261 ->spin_lock(inode) // check I_FREEING|I_WILL_FREE // and passed ->__iget() ->spin_unlock(inode) // schedule back ->spin_lock(inode) // check (I_NEW|I_FREEING|I_WILL_FREE) flags, // passed and set I_FREEING iput() ->spin_unlock(inode) ->spin_lock(inode) ->evict() // dec i_count to 0 ->iput_final() ->spin_unlock() ->evict()
Now, we have two threads simultaneously evicting the same inode, which may trigger the BUG(inode->i_state & I_CLEAR) statement both within clear_inode() and iput().
To fix the bug, recheck the inode->i_count after holding i_lock. Because in the most scenarios, the first check is valid, and the overhead of spin_lock() can be reduced.
If there is any misunderstanding, please let me know, thanks.
[2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable() return false when I reproduced the bug.
{
"affected": [],
"aliases": [
"CVE-2024-47679"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T12:15:04Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfs: fix race between evice_inodes() and find_inode()\u0026iput()\n\nHi, all\n\nRecently I noticed a bug[1] in btrfs, after digged it into\nand I believe it\u0027a race in vfs.\n\nLet\u0027s assume there\u0027s a inode (ie ino 261) with i_count 1 is\ncalled by iput(), and there\u0027s a concurrent thread calling\ngeneric_shutdown_super().\n\ncpu0: cpu1:\niput() // i_count is 1\n -\u003espin_lock(inode)\n -\u003edec i_count to 0\n -\u003eiput_final() generic_shutdown_super()\n -\u003e__inode_add_lru() -\u003eevict_inodes()\n // cause some reason[2] -\u003eif (atomic_read(inode-\u003ei_count)) continue;\n // return before // inode 261 passed the above check\n // list_lru_add_obj() // and then schedule out\n -\u003espin_unlock()\n// note here: the inode 261\n// was still at sb list and hash list,\n// and I_FREEING|I_WILL_FREE was not been set\n\nbtrfs_iget()\n // after some function calls\n -\u003efind_inode()\n // found the above inode 261\n -\u003espin_lock(inode)\n // check I_FREEING|I_WILL_FREE\n // and passed\n -\u003e__iget()\n -\u003espin_unlock(inode) // schedule back\n -\u003espin_lock(inode)\n // check (I_NEW|I_FREEING|I_WILL_FREE) flags,\n // passed and set I_FREEING\niput() -\u003espin_unlock(inode)\n -\u003espin_lock(inode)\t\t\t -\u003eevict()\n // dec i_count to 0\n -\u003eiput_final()\n -\u003espin_unlock()\n -\u003eevict()\n\nNow, we have two threads simultaneously evicting\nthe same inode, which may trigger the BUG(inode-\u003ei_state \u0026 I_CLEAR)\nstatement both within clear_inode() and iput().\n\nTo fix the bug, recheck the inode-\u003ei_count after holding i_lock.\nBecause in the most scenarios, the first check is valid, and\nthe overhead of spin_lock() can be reduced.\n\nIf there is any misunderstanding, please let me know, thanks.\n\n[1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/\n[2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable()\nreturn false when I reproduced the bug.",
"id": "GHSA-9p2r-69c4-v82v",
"modified": "2024-11-08T18:30:44Z",
"published": "2024-10-21T12:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47679"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0eed942bc65de1f93eca7bda51344290f9c573bb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0f8a5b6d0dafa4f533ac82e98f8b812073a7c9d1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3721a69403291e2514d13a7c3af50a006ea1153b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/47a68c75052a660e4c37de41e321582ec9496195"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/489faddb1ae75b0e1a741fe5ca2542a2b5e794a5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/540fb13120c9eab3ef203f90c00c8e69f37449d1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6c857fb12b9137fee574443385d53914356bbe11"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6cc13a80a26e6b48f78c725c01b91987d61563ef"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/88b1afbf0f6b221f6c5bb66cc80cd3b38d696687"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.