{"id":"CVE-2024-45003","summary":"vfs: Don't evict inode under the inode lru traversing context","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nvfs: Don't evict inode under the inode lru traversing context\n\nThe inode reclaiming process(See function prune_icache_sb) collects all\nreclaimable inodes and mark them with I_FREEING flag at first, at that\ntime, other processes will be stuck if they try getting these inodes\n(See function find_inode_fast), then the reclaiming process destroy the\ninodes by function dispose_list(). Some filesystems(eg. ext4 with\nea_inode feature, ubifs with xattr) may do inode lookup in the inode\nevicting callback function, if the inode lookup is operated under the\ninode lru traversing context, deadlock problems may happen.\n\nCase 1: In function ext4_evict_inode(), the ea inode lookup could happen\n if ea_inode feature is enabled, the lookup process will be stuck\n\tunder the evicting context like this:\n\n 1. File A has inode i_reg and an ea inode i_ea\n 2. getfattr(A, xattr_buf) // i_ea is added into lru // lru-\u003ei_ea\n 3. Then, following three processes running like this:\n\n PA PB\n echo 2 \u003e /proc/sys/vm/drop_caches\n shrink_slab\n prune_dcache_sb\n // i_reg is added into lru, lru-\u003ei_ea-\u003ei_reg\n prune_icache_sb\n list_lru_walk_one\n inode_lru_isolate\n i_ea-\u003ei_state |= I_FREEING // set inode state\n inode_lru_isolate\n __iget(i_reg)\n spin_unlock(&i_reg-\u003ei_lock)\n spin_unlock(lru_lock)\n rm file A\n i_reg-\u003enlink = 0\n iput(i_reg) // i_reg-\u003enlink is 0, do evict\n ext4_evict_inode\n ext4_xattr_delete_inode\n ext4_xattr_inode_dec_ref_all\n ext4_xattr_inode_iget\n ext4_iget(i_ea-\u003ei_ino)\n iget_locked\n find_inode_fast\n __wait_on_freeing_inode(i_ea) ----→ AA deadlock\n dispose_list // cannot be executed by prune_icache_sb\n wake_up_bit(&i_ea-\u003ei_state)\n\nCase 2: In deleted inode writing function ubifs_jnl_write_inode(), file\n deleting process holds BASEHD's wbuf-\u003eio_mutex while getting the\n\txattr inode, which could race with inode reclaiming process(The\n reclaiming process could try locking BASEHD's wbuf-\u003eio_mutex in\n\tinode evicting function), then an ABBA deadlock problem would\n\thappen as following:\n\n 1. File A has inode ia and a xattr(with inode ixa), regular file B has\n inode ib and a xattr.\n 2. getfattr(A, xattr_buf) // ixa is added into lru // lru-\u003eixa\n 3. Then, following three processes running like this:\n\n PA PB PC\n echo 2 \u003e /proc/sys/vm/drop_caches\n shrink_slab\n prune_dcache_sb\n // ib and ia are added into lru, lru-\u003eixa-\u003eib-\u003eia\n prune_icache_sb\n list_lru_walk_one\n inode_lru_isolate\n ixa-\u003ei_state |= I_FREEING // set inode state\n inode_lru_isolate\n __iget(ib)\n spin_unlock(&ib-\u003ei_lock)\n spin_unlock(lru_lock)\n rm file B\n ib-\u003enlink = 0\n rm file A\n iput(ia)\n ubifs_evict_inode(ia)\n ubifs_jnl_delete_inode(ia)\n ubifs_jnl_write_inode(ia)\n make_reservation(BASEHD) // Lock wbuf-\u003eio_mutex\n ubifs_iget(ixa-\u003ei_ino)\n iget_locked\n find_inode_fast\n __wait_on_freeing_inode(ixa)\n | iput(ib) // ib-\u003enlink is 0, do evict\n | ubifs_evict_inode\n | ubifs_jnl_delete_inode(ib)\n ↓ ubifs_jnl_write_inode\n ABBA deadlock ←-----make_reservation(BASEHD)\n dispose_list // cannot be executed by prune_icache_sb\n wake_up_bit(&ixa-\u003ei_state)\n\nFix the possible deadlock by using new inode state flag I_LRU_ISOLATING\nto pin the inode in memory while inode_lru_isolate(\n---truncated---","modified":"2026-03-20T12:38:57.257289Z","published":"2024-09-04T19:54:46.276Z","related":["MGASA-2024-0309","MGASA-2024-0310","SUSE-SU-2024:3403-1","SUSE-SU-2024:3408-1","SUSE-SU-2024:3551-1","SUSE-SU-2024:3561-1","SUSE-SU-2024:3564-1","SUSE-SU-2024:3565-1","SUSE-SU-2024:3567-1","SUSE-SU-2024:3569-1","SUSE-SU-2024:3585-1","SUSE-SU-2024:3587-1","SUSE-SU-2024:3592-1","SUSE-SU-2025:20073-1","SUSE-SU-2025:20077-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/45xxx/CVE-2024-45003.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/03880af02a78bc9a98b5a581f529cf709c88a9b8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2a0629834cd82f05d424bbc193374f9a43d1f87d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3525ad25240dfdd8c78f3470911ed10aa727aa72"},{"type":"WEB","url":"https://git.kernel.org/stable/c/437741eba63bf4e437e2beb5583f8633556a2b98"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9063ab49c11e9518a3f2352434bb276cc8134c5f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b9bda5f6012dd00372f3a06a82ed8971a4c57c32"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cda54ec82c0f9d05393242b20b13f69b083f7e88"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/45xxx/CVE-2024-45003.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45003"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e50e5129f384ae282adebfb561189cdb19b81cee"},{"fixed":"3525ad25240dfdd8c78f3470911ed10aa727aa72"},{"fixed":"03880af02a78bc9a98b5a581f529cf709c88a9b8"},{"fixed":"cda54ec82c0f9d05393242b20b13f69b083f7e88"},{"fixed":"437741eba63bf4e437e2beb5583f8633556a2b98"},{"fixed":"b9bda5f6012dd00372f3a06a82ed8971a4c57c32"},{"fixed":"9063ab49c11e9518a3f2352434bb276cc8134c5f"},{"fixed":"2a0629834cd82f05d424bbc193374f9a43d1f87d"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-45003.json"}}],"schema_version":"1.7.5"}