CVE-2024-47679: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: vfs: fix race between evice_inodes() and find_inode()&iput() Hi, all Recently I noticed a bug[1] in btrfs, after digged it into and I believe it'a race in vfs. Let's assume there's a inode (ie ino 261) with i_count 1 is called by iput(), and there's a concurrent thread calling generic_shutdown_super(). cpu0: cpu1: iput() // i_count is 1 ->spin_lock(inode) ->dec i_count to 0 ->iput_final() generic_shutdown_super() ->__inode_add_lru() ->evict_inodes() // cause some reason[2] ->if (atomic_read(inode->i_count)) continue; // return before // inode 261 passed the above check // list_lru_add_obj() // and then schedule out ->spin_unlock() // note here: the inode 261 // was still at sb list and hash list, // and I_FREEING|I_WILL_FREE was not been set btrfs_iget() // after some function calls ->find_inode() // found the above inode 261 ->spin_lock(inode) // check I_FREEING|I_WILL_FREE // and passed ->__iget() ->spin_unlock(inode) // schedule back ->spin_lock(inode) // check (I_NEW|I_FREEING|I_WILL_FREE) flags, // passed and set I_FREEING iput() ->spin_unlock(inode) ->spin_lock(inode) ->evict() // dec i_count to 0 ->iput_final() ->spin_unlock() ->evict() Now, we have two threads simultaneously evicting the same inode, which may trigger the BUG(inode->i_state & I_CLEAR) statement both within clear_inode() and iput(). To fix the bug, recheck the inode->i_count after holding i_lock. Because in the most scenarios, the first check is valid, and the overhead of spin_lock() can be reduced. If there is any misunderstanding, please let me know, thanks. [1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/ [2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable() return false when I reproduced the bug.
AI Analysis
Technical Summary
CVE-2024-47679 is a race condition vulnerability in the Linux kernel's Virtual File System (VFS) layer, specifically involving inode reference counting and eviction processes. The issue arises from a concurrency flaw between the iput() function, which decrements the inode's reference count (i_count) and potentially frees the inode, and generic_shutdown_super(), which evicts inodes during filesystem shutdown. The vulnerability manifests when two threads simultaneously operate on the same inode (e.g., inode number 261) without proper synchronization. One thread calls iput(), reducing i_count to zero and initiating inode finalization, while another concurrently calls generic_shutdown_super(), evicting inodes and checking i_count. Due to a race, the inode remains linked in the superblock's lists without the I_FREEING or I_WILL_FREE flags set, allowing btrfs_iget() to find and operate on this inode concurrently. This leads to two threads simultaneously evicting the same inode, triggering kernel BUG() conditions related to inode state inconsistencies (I_CLEAR flag). The root cause is the lack of a recheck of i_count after acquiring the inode lock (i_lock), which the patch addresses by adding this revalidation to prevent double eviction. This vulnerability affects Linux kernel versions prior to the fix and is particularly relevant for filesystems like Btrfs that rely heavily on inode management. Exploitation could cause kernel crashes (denial of service) or potentially lead to undefined behavior due to corrupted inode state. No known exploits are reported in the wild yet, and no CVSS score has been assigned. The fix involves modifying the inode reference count handling to ensure atomicity and proper locking, preventing concurrent eviction races.
Potential Impact
For European organizations, the impact of CVE-2024-47679 primarily involves potential denial of service (DoS) conditions on Linux systems using affected kernel versions, especially those utilizing Btrfs or similar filesystems. Many European enterprises, government agencies, and service providers rely on Linux servers for critical infrastructure, cloud services, and data centers. A kernel crash caused by this race condition could disrupt services, leading to downtime and potential data loss if inode corruption occurs. While the vulnerability does not directly enable privilege escalation or remote code execution, the resulting instability can affect availability and integrity of systems. Organizations running multi-threaded workloads or heavy filesystem operations are at higher risk. Additionally, embedded Linux devices or network appliances used in European critical infrastructure may also be vulnerable if not updated. The absence of known exploits reduces immediate risk, but the complexity of the bug and its presence in core kernel code necessitate prompt patching to avoid future exploitation attempts. The vulnerability's impact on confidentiality is minimal, but integrity and availability risks are significant in affected environments.
Mitigation Recommendations
1. Immediate deployment of the official Linux kernel patch that rechecks inode reference counts after acquiring the inode lock to prevent race conditions. 2. Prioritize patching on systems running Btrfs or other filesystems heavily dependent on inode management, especially in multi-threaded or high I/O environments. 3. Implement kernel live patching solutions where possible to reduce downtime during patch application. 4. Monitor kernel logs for BUG() messages or inode-related errors that could indicate exploitation attempts or triggering of the race condition. 5. Conduct thorough testing of updated kernels in staging environments to ensure stability before production rollout. 6. For critical infrastructure, consider temporarily limiting concurrent shutdown or unmount operations that could trigger generic_shutdown_super() during patch deployment. 7. Maintain up-to-date backups and disaster recovery plans to mitigate potential data loss from unexpected kernel crashes. 8. Engage with Linux distribution vendors for timely updates and security advisories specific to their kernel versions and backports.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2024-47679: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: vfs: fix race between evice_inodes() and find_inode()&iput() Hi, all Recently I noticed a bug[1] in btrfs, after digged it into and I believe it'a race in vfs. Let's assume there's a inode (ie ino 261) with i_count 1 is called by iput(), and there's a concurrent thread calling generic_shutdown_super(). cpu0: cpu1: iput() // i_count is 1 ->spin_lock(inode) ->dec i_count to 0 ->iput_final() generic_shutdown_super() ->__inode_add_lru() ->evict_inodes() // cause some reason[2] ->if (atomic_read(inode->i_count)) continue; // return before // inode 261 passed the above check // list_lru_add_obj() // and then schedule out ->spin_unlock() // note here: the inode 261 // was still at sb list and hash list, // and I_FREEING|I_WILL_FREE was not been set btrfs_iget() // after some function calls ->find_inode() // found the above inode 261 ->spin_lock(inode) // check I_FREEING|I_WILL_FREE // and passed ->__iget() ->spin_unlock(inode) // schedule back ->spin_lock(inode) // check (I_NEW|I_FREEING|I_WILL_FREE) flags, // passed and set I_FREEING iput() ->spin_unlock(inode) ->spin_lock(inode) ->evict() // dec i_count to 0 ->iput_final() ->spin_unlock() ->evict() Now, we have two threads simultaneously evicting the same inode, which may trigger the BUG(inode->i_state & I_CLEAR) statement both within clear_inode() and iput(). To fix the bug, recheck the inode->i_count after holding i_lock. Because in the most scenarios, the first check is valid, and the overhead of spin_lock() can be reduced. If there is any misunderstanding, please let me know, thanks. [1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/ [2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable() return false when I reproduced the bug.
AI-Powered Analysis
Technical Analysis
CVE-2024-47679 is a race condition vulnerability in the Linux kernel's Virtual File System (VFS) layer, specifically involving inode reference counting and eviction processes. The issue arises from a concurrency flaw between the iput() function, which decrements the inode's reference count (i_count) and potentially frees the inode, and generic_shutdown_super(), which evicts inodes during filesystem shutdown. The vulnerability manifests when two threads simultaneously operate on the same inode (e.g., inode number 261) without proper synchronization. One thread calls iput(), reducing i_count to zero and initiating inode finalization, while another concurrently calls generic_shutdown_super(), evicting inodes and checking i_count. Due to a race, the inode remains linked in the superblock's lists without the I_FREEING or I_WILL_FREE flags set, allowing btrfs_iget() to find and operate on this inode concurrently. This leads to two threads simultaneously evicting the same inode, triggering kernel BUG() conditions related to inode state inconsistencies (I_CLEAR flag). The root cause is the lack of a recheck of i_count after acquiring the inode lock (i_lock), which the patch addresses by adding this revalidation to prevent double eviction. This vulnerability affects Linux kernel versions prior to the fix and is particularly relevant for filesystems like Btrfs that rely heavily on inode management. Exploitation could cause kernel crashes (denial of service) or potentially lead to undefined behavior due to corrupted inode state. No known exploits are reported in the wild yet, and no CVSS score has been assigned. The fix involves modifying the inode reference count handling to ensure atomicity and proper locking, preventing concurrent eviction races.
Potential Impact
For European organizations, the impact of CVE-2024-47679 primarily involves potential denial of service (DoS) conditions on Linux systems using affected kernel versions, especially those utilizing Btrfs or similar filesystems. Many European enterprises, government agencies, and service providers rely on Linux servers for critical infrastructure, cloud services, and data centers. A kernel crash caused by this race condition could disrupt services, leading to downtime and potential data loss if inode corruption occurs. While the vulnerability does not directly enable privilege escalation or remote code execution, the resulting instability can affect availability and integrity of systems. Organizations running multi-threaded workloads or heavy filesystem operations are at higher risk. Additionally, embedded Linux devices or network appliances used in European critical infrastructure may also be vulnerable if not updated. The absence of known exploits reduces immediate risk, but the complexity of the bug and its presence in core kernel code necessitate prompt patching to avoid future exploitation attempts. The vulnerability's impact on confidentiality is minimal, but integrity and availability risks are significant in affected environments.
Mitigation Recommendations
1. Immediate deployment of the official Linux kernel patch that rechecks inode reference counts after acquiring the inode lock to prevent race conditions. 2. Prioritize patching on systems running Btrfs or other filesystems heavily dependent on inode management, especially in multi-threaded or high I/O environments. 3. Implement kernel live patching solutions where possible to reduce downtime during patch application. 4. Monitor kernel logs for BUG() messages or inode-related errors that could indicate exploitation attempts or triggering of the race condition. 5. Conduct thorough testing of updated kernels in staging environments to ensure stability before production rollout. 6. For critical infrastructure, consider temporarily limiting concurrent shutdown or unmount operations that could trigger generic_shutdown_super() during patch deployment. 7. Maintain up-to-date backups and disaster recovery plans to mitigate potential data loss from unexpected kernel crashes. 8. Engage with Linux distribution vendors for timely updates and security advisories specific to their kernel versions and backports.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-30T16:00:12.939Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe04ba
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 7:26:22 PM
Last updated: 8/6/2025, 9:11:10 AM
Views: 12
Related Threats
CVE-2025-9047: SQL Injection in projectworlds Visitor Management System
MediumCVE-2025-9046: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9028: SQL Injection in code-projects Online Medicine Guide
MediumCVE-2025-26709: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in ZTE F50
MediumCVE-2025-9027: SQL Injection in code-projects Online Medicine Guide
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.