{"id":"AZL-50900","summary":"CVE-2024-47679 affecting package kernel for versions less than 6.6.56.1-5","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nvfs: fix race between evice_inodes() and find_inode()&iput()\n\nHi, all\n\nRecently I noticed a bug[1] in btrfs, after digged it into\nand I believe it'a race in vfs.\n\nLet's assume there's a inode (ie ino 261) with i_count 1 is\ncalled by iput(), and there's a concurrent thread calling\ngeneric_shutdown_super().\n\ncpu0:                              cpu1:\niput() // i_count is 1\n  -\u003espin_lock(inode)\n  -\u003edec i_count to 0\n  -\u003eiput_final()                    generic_shutdown_super()\n    -\u003e__inode_add_lru()               -\u003eevict_inodes()\n      // cause some reason[2]           -\u003eif (atomic_read(inode-\u003ei_count)) continue;\n      // return before                  // inode 261 passed the above check\n      // list_lru_add_obj()             // and then schedule out\n   -\u003espin_unlock()\n// note here: the inode 261\n// was still at sb list and hash list,\n// and I_FREEING|I_WILL_FREE was not been set\n\nbtrfs_iget()\n  // after some function calls\n  -\u003efind_inode()\n    // found the above inode 261\n    -\u003espin_lock(inode)\n   // check I_FREEING|I_WILL_FREE\n   // and passed\n      -\u003e__iget()\n    -\u003espin_unlock(inode)                // schedule back\n                                        -\u003espin_lock(inode)\n                                        // check (I_NEW|I_FREEING|I_WILL_FREE) flags,\n                                        // passed and set I_FREEING\niput()                                  -\u003espin_unlock(inode)\n  -\u003espin_lock(inode)\t\t\t  -\u003eevict()\n  // dec i_count to 0\n  -\u003eiput_final()\n    -\u003espin_unlock()\n    -\u003eevict()\n\nNow, we have two threads simultaneously evicting\nthe same inode, which may trigger the BUG(inode-\u003ei_state & I_CLEAR)\nstatement both within clear_inode() and iput().\n\nTo fix the bug, recheck the inode-\u003ei_count after holding i_lock.\nBecause in the most scenarios, the first check is valid, and\nthe overhead of spin_lock() can be reduced.\n\nIf there is any misunderstanding, please let me know, thanks.\n\n[1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/\n[2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable()\nreturn false when I reproduced the bug.","modified":"2026-04-01T05:16:20.802801Z","published":"2024-10-21T12:15:04Z","upstream":["CVE-2024-47679"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47679"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.56.1-5"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-50900.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}