{"id":"CVE-2024-47679","summary":"vfs: fix race between evice_inodes() and find_inode()&iput()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nvfs: fix race between evice_inodes() and find_inode()&iput()\n\nHi, all\n\nRecently I noticed a bug[1] in btrfs, after digged it into\nand I believe it'a race in vfs.\n\nLet's assume there's a inode (ie ino 261) with i_count 1 is\ncalled by iput(), and there's a concurrent thread calling\ngeneric_shutdown_super().\n\ncpu0:                              cpu1:\niput() // i_count is 1\n  -\u003espin_lock(inode)\n  -\u003edec i_count to 0\n  -\u003eiput_final()                    generic_shutdown_super()\n    -\u003e__inode_add_lru()               -\u003eevict_inodes()\n      // cause some reason[2]           -\u003eif (atomic_read(inode-\u003ei_count)) continue;\n      // return before                  // inode 261 passed the above check\n      // list_lru_add_obj()             // and then schedule out\n   -\u003espin_unlock()\n// note here: the inode 261\n// was still at sb list and hash list,\n// and I_FREEING|I_WILL_FREE was not been set\n\nbtrfs_iget()\n  // after some function calls\n  -\u003efind_inode()\n    // found the above inode 261\n    -\u003espin_lock(inode)\n   // check I_FREEING|I_WILL_FREE\n   // and passed\n      -\u003e__iget()\n    -\u003espin_unlock(inode)                // schedule back\n                                        -\u003espin_lock(inode)\n                                        // check (I_NEW|I_FREEING|I_WILL_FREE) flags,\n                                        // passed and set I_FREEING\niput()                                  -\u003espin_unlock(inode)\n  -\u003espin_lock(inode)\t\t\t  -\u003eevict()\n  // dec i_count to 0\n  -\u003eiput_final()\n    -\u003espin_unlock()\n    -\u003eevict()\n\nNow, we have two threads simultaneously evicting\nthe same inode, which may trigger the BUG(inode-\u003ei_state & I_CLEAR)\nstatement both within clear_inode() and iput().\n\nTo fix the bug, recheck the inode-\u003ei_count after holding i_lock.\nBecause in the most scenarios, the first check is valid, and\nthe overhead of spin_lock() can be reduced.\n\nIf there is any misunderstanding, please let me know, thanks.\n\n[1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/\n[2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable()\nreturn false when I reproduced the bug.","modified":"2026-03-20T12:38:03.066896Z","published":"2024-10-21T11:53:22.469Z","related":["ALSA-2025:20518","MGASA-2024-0344","MGASA-2024-0345","SUSE-SU-2024:4314-1","SUSE-SU-2024:4315-1","SUSE-SU-2024:4316-1","SUSE-SU-2024:4318-1","SUSE-SU-2024:4364-1","SUSE-SU-2024:4367-1","SUSE-SU-2024:4376-1","SUSE-SU-2024:4387-1","SUSE-SU-2025:0035-1","SUSE-SU-2025:20163-1","SUSE-SU-2025:20164-1","SUSE-SU-2025:20246-1","SUSE-SU-2025:20247-1","USN-7276-1","USN-7277-1","openSUSE-SU-2024:14500-1","openSUSE-SU-2025:14705-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47679.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0eed942bc65de1f93eca7bda51344290f9c573bb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0f8a5b6d0dafa4f533ac82e98f8b812073a7c9d1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3721a69403291e2514d13a7c3af50a006ea1153b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/47a68c75052a660e4c37de41e321582ec9496195"},{"type":"WEB","url":"https://git.kernel.org/stable/c/489faddb1ae75b0e1a741fe5ca2542a2b5e794a5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/540fb13120c9eab3ef203f90c00c8e69f37449d1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6c857fb12b9137fee574443385d53914356bbe11"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6cc13a80a26e6b48f78c725c01b91987d61563ef"},{"type":"WEB","url":"https://git.kernel.org/stable/c/88b1afbf0f6b221f6c5bb66cc80cd3b38d696687"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47679.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47679"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"63997e98a3be68d7cec806d22bf9b02b2e1daabb"},{"fixed":"6cc13a80a26e6b48f78c725c01b91987d61563ef"},{"fixed":"489faddb1ae75b0e1a741fe5ca2542a2b5e794a5"},{"fixed":"47a68c75052a660e4c37de41e321582ec9496195"},{"fixed":"3721a69403291e2514d13a7c3af50a006ea1153b"},{"fixed":"540fb13120c9eab3ef203f90c00c8e69f37449d1"},{"fixed":"0eed942bc65de1f93eca7bda51344290f9c573bb"},{"fixed":"0f8a5b6d0dafa4f533ac82e98f8b812073a7c9d1"},{"fixed":"6c857fb12b9137fee574443385d53914356bbe11"},{"fixed":"88b1afbf0f6b221f6c5bb66cc80cd3b38d696687"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-47679.json"}}],"schema_version":"1.7.5"}