Ubuntu: (Multiple Advisories) (CVE-2024-47679): Linux kernel vulnerabilities

Ubuntu: (Multiple Advisories) (CVE-2024-47679): Linux kernel vulnerabilities

Severity

4

CVSS

(AV:L/AC:M/Au:S/C:N/I:N/A:C)

Published

10/21/2024

Created

12/19/2024

Added

12/18/2024

Modified

01/30/2025

Description

In the Linux kernel, the following vulnerability has been resolved: vfs: fix race between evice_inodes() and find_inode()&iput() Hi, all Recently I noticed a bug[1] in btrfs, after digged it into and I believe it'a race in vfs. Let's assume there's a inode (ie ino 261) with i_count 1 is called by iput(), and there's a concurrent thread calling generic_shutdown_super(). cpu0:cpu1: iput() // i_count is 1 ->spin_lock(inode) ->dec i_count to 0 ->iput_final()generic_shutdown_super() ->__inode_add_lru() ->evict_inodes() // cause some reason[2] ->if (atomic_read(inode->i_count)) continue; // return before// inode 261 passed the above check // list_lru_add_obj() // and then schedule out ->spin_unlock() // note here: the inode 261 // was still at sb list and hash list, // and I_FREEING|I_WILL_FREE was not been set btrfs_iget() // after some function calls ->find_inode() // found the above inode 261 ->spin_lock(inode) // check I_FREEING|I_WILL_FREE // and passed ->__iget() ->spin_unlock(inode)// schedule back ->spin_lock(inode) // check (I_NEW|I_FREEING|I_WILL_FREE) flags, // passed and set I_FREEING iput()->spin_unlock(inode) ->spin_lock(inode) ->evict() // dec i_count to 0 ->iput_final() ->spin_unlock() ->evict() Now, we have two threads simultaneously evicting the same inode, which may trigger the BUG(inode->i_state & I_CLEAR) statement both within clear_inode() and iput(). To fix the bug, recheck the inode->i_count after holding i_lock. Because in the most scenarios, the first check is valid, and the overhead of spin_lock() can be reduced. If there is any misunderstanding, please let me know, thanks. [1]: https://lore.kernel.org/linux-btrfs/[email protected]/ [2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable() return false when I reproduced the bug.

Solution(s)

• ubuntu-upgrade-linux-image-5-15-0-1039-xilinx-zynqmp
• ubuntu-upgrade-linux-image-5-15-0-1056-gkeop
• ubuntu-upgrade-linux-image-5-15-0-1066-ibm
• ubuntu-upgrade-linux-image-5-15-0-1066-raspi
• ubuntu-upgrade-linux-image-5-15-0-1068-nvidia
• ubuntu-upgrade-linux-image-5-15-0-1068-nvidia-lowlatency
• ubuntu-upgrade-linux-image-5-15-0-1070-gke
• ubuntu-upgrade-linux-image-5-15-0-1070-kvm
• ubuntu-upgrade-linux-image-5-15-0-1071-intel-iotg
• ubuntu-upgrade-linux-image-5-15-0-1071-oracle
• ubuntu-upgrade-linux-image-5-15-0-1072-gcp
• ubuntu-upgrade-linux-image-5-15-0-1073-aws
• ubuntu-upgrade-linux-image-5-15-0-1078-azure
• ubuntu-upgrade-linux-image-5-15-0-127-generic
• ubuntu-upgrade-linux-image-5-15-0-127-generic-64k
• ubuntu-upgrade-linux-image-5-15-0-127-generic-lpae
• ubuntu-upgrade-linux-image-5-15-0-127-lowlatency
• ubuntu-upgrade-linux-image-5-15-0-127-lowlatency-64k
• ubuntu-upgrade-linux-image-aws
• ubuntu-upgrade-linux-image-aws-lts-22-04
• ubuntu-upgrade-linux-image-azure
• ubuntu-upgrade-linux-image-azure-cvm
• ubuntu-upgrade-linux-image-azure-lts-22-04
• ubuntu-upgrade-linux-image-gcp
• ubuntu-upgrade-linux-image-gcp-lts-22-04
• ubuntu-upgrade-linux-image-generic
• ubuntu-upgrade-linux-image-generic-64k
• ubuntu-upgrade-linux-image-generic-64k-hwe-20-04
• ubuntu-upgrade-linux-image-generic-hwe-20-04
• ubuntu-upgrade-linux-image-generic-lpae
• ubuntu-upgrade-linux-image-generic-lpae-hwe-20-04
• ubuntu-upgrade-linux-image-gke
• ubuntu-upgrade-linux-image-gke-5-15
• ubuntu-upgrade-linux-image-gkeop
• ubuntu-upgrade-linux-image-gkeop-5-15
• ubuntu-upgrade-linux-image-ibm
• ubuntu-upgrade-linux-image-intel
• ubuntu-upgrade-linux-image-intel-iotg
• ubuntu-upgrade-linux-image-kvm
• ubuntu-upgrade-linux-image-lowlatency
• ubuntu-upgrade-linux-image-lowlatency-64k
• ubuntu-upgrade-linux-image-lowlatency-64k-hwe-20-04
• ubuntu-upgrade-linux-image-lowlatency-hwe-20-04
• ubuntu-upgrade-linux-image-nvidia
• ubuntu-upgrade-linux-image-nvidia-lowlatency
• ubuntu-upgrade-linux-image-oem-20-04
• ubuntu-upgrade-linux-image-oem-20-04b
• ubuntu-upgrade-linux-image-oem-20-04c
• ubuntu-upgrade-linux-image-oem-20-04d
• ubuntu-upgrade-linux-image-oracle
• ubuntu-upgrade-linux-image-oracle-lts-22-04
• ubuntu-upgrade-linux-image-raspi
• ubuntu-upgrade-linux-image-raspi-nolpae
• ubuntu-upgrade-linux-image-virtual
• ubuntu-upgrade-linux-image-virtual-hwe-20-04
• ubuntu-upgrade-linux-image-xilinx-zynqmp

References

• https://attackerkb.com/topics/cve-2024-47679
• CVE - 2024-47679
• USN-7166-1
• USN-7166-2
• USN-7166-3
• USN-7166-4
• USN-7186-1
• USN-7186-2
• USN-7194-1

View more