FKIE_CVE-2021-47256

Vulnerability from fkie_nvd - Published: 2024-05-21 15:15 - Updated: 2025-04-30 15:05
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: make sure wait for page writeback in memory_failure Our syzkaller trigger the "BUG_ON(!list_empty(&inode->i_wb_list))" in clear_inode: kernel BUG at fs/inode.c:519! Internal error: Oops - BUG: 0 [#1] SMP Modules linked in: Process syz-executor.0 (pid: 249, stack limit = 0x00000000a12409d7) CPU: 1 PID: 249 Comm: syz-executor.0 Not tainted 4.19.95 Hardware name: linux,dummy-virt (DT) pstate: 80000005 (Nzcv daif -PAN -UAO) pc : clear_inode+0x280/0x2a8 lr : clear_inode+0x280/0x2a8 Call trace: clear_inode+0x280/0x2a8 ext4_clear_inode+0x38/0xe8 ext4_free_inode+0x130/0xc68 ext4_evict_inode+0xb20/0xcb8 evict+0x1a8/0x3c0 iput+0x344/0x460 do_unlinkat+0x260/0x410 __arm64_sys_unlinkat+0x6c/0xc0 el0_svc_common+0xdc/0x3b0 el0_svc_handler+0xf8/0x160 el0_svc+0x10/0x218 Kernel panic - not syncing: Fatal exception A crash dump of this problem show that someone called __munlock_pagevec to clear page LRU without lock_page: do_mmap -> mmap_region -> do_munmap -> munlock_vma_pages_range -> __munlock_pagevec. As a result memory_failure will call identify_page_state without wait_on_page_writeback. And after truncate_error_page clear the mapping of this page. end_page_writeback won't call sb_clear_inode_writeback to clear inode->i_wb_list. That will trigger BUG_ON in clear_inode! Fix it by checking PageWriteback too to help determine should we skip wait_on_page_writeback.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/28788dc5c70597395b6b451dae4549bbaa8e2c56Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/566345aaabac853aa866f53a219c4b02a6beb527Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6d210d547adc2218ef8b5bcf23518c5f2f1fd872Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9e379da727a7a031be9b877cde7b9c34a0fb8306Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d05267fd27a5c4f54e06daefa3035995d765ca0cPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e8675d291ac007e1c636870db880f837a9ea112aPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/28788dc5c70597395b6b451dae4549bbaa8e2c56Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/566345aaabac853aa866f53a219c4b02a6beb527Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/6d210d547adc2218ef8b5bcf23518c5f2f1fd872Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/9e379da727a7a031be9b877cde7b9c34a0fb8306Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/d05267fd27a5c4f54e06daefa3035995d765ca0cPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/e8675d291ac007e1c636870db880f837a9ea112aPatch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 5.13
linux linux_kernel 5.13
linux linux_kernel 5.13
linux linux_kernel 5.13
linux linux_kernel 5.13
linux linux_kernel 5.13
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC6F60EE-EF5A-4213-9927-5F26053B4B41",
              "versionEndExcluding": "4.14.238",
              "versionStartIncluding": "3.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F3CAB837-7D38-4934-AD4F-195CEFD754E6",
              "versionEndExcluding": "4.19.196",
              "versionStartIncluding": "4.15",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6267BD4E-BE25-48B5-B850-4B493440DAFA",
              "versionEndExcluding": "5.4.128",
              "versionStartIncluding": "4.20",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "59455D13-A902-42E1-97F7-5ED579777193",
              "versionEndExcluding": "5.10.46",
              "versionStartIncluding": "5.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7806E7E5-6D4F-4E18-81C1-79B3C60EE855",
              "versionEndExcluding": "5.12.13",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "0CBAD0FC-C281-4666-AB2F-F8E6E1165DF7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "96AC23B2-D46A-49D9-8203-8E1BEDCA8532",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "DA610E30-717C-4700-9F77-A3C9244F3BFD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "1ECD33F5-85BE-430B-8F86-8D7BD560311D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "CF351855-2437-4CF5-AD7C-BDFA51F27683",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc6:*:*:*:*:*:*",
              "matchCriteriaId": "25A855BA-2118-44F2-90EF-EBBB12AF51EF",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: make sure wait for page writeback in memory_failure\n\nOur syzkaller trigger the \"BUG_ON(!list_empty(\u0026inode-\u003ei_wb_list))\" in\nclear_inode:\n\n  kernel BUG at fs/inode.c:519!\n  Internal error: Oops - BUG: 0 [#1] SMP\n  Modules linked in:\n  Process syz-executor.0 (pid: 249, stack limit = 0x00000000a12409d7)\n  CPU: 1 PID: 249 Comm: syz-executor.0 Not tainted 4.19.95\n  Hardware name: linux,dummy-virt (DT)\n  pstate: 80000005 (Nzcv daif -PAN -UAO)\n  pc : clear_inode+0x280/0x2a8\n  lr : clear_inode+0x280/0x2a8\n  Call trace:\n    clear_inode+0x280/0x2a8\n    ext4_clear_inode+0x38/0xe8\n    ext4_free_inode+0x130/0xc68\n    ext4_evict_inode+0xb20/0xcb8\n    evict+0x1a8/0x3c0\n    iput+0x344/0x460\n    do_unlinkat+0x260/0x410\n    __arm64_sys_unlinkat+0x6c/0xc0\n    el0_svc_common+0xdc/0x3b0\n    el0_svc_handler+0xf8/0x160\n    el0_svc+0x10/0x218\n  Kernel panic - not syncing: Fatal exception\n\nA crash dump of this problem show that someone called __munlock_pagevec\nto clear page LRU without lock_page: do_mmap -\u003e mmap_region -\u003e do_munmap\n-\u003e munlock_vma_pages_range -\u003e __munlock_pagevec.\n\nAs a result memory_failure will call identify_page_state without\nwait_on_page_writeback.  And after truncate_error_page clear the mapping\nof this page.  end_page_writeback won\u0027t call sb_clear_inode_writeback to\nclear inode-\u003ei_wb_list.  That will trigger BUG_ON in clear_inode!\n\nFix it by checking PageWriteback too to help determine should we skip\nwait_on_page_writeback."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/memory-failure: aseg\u00farese de esperar la reescritura de la p\u00e1gina en Memory_failure. Nuestro syzkaller activa el \"BUG_ON(!list_empty(\u0026amp;inode-\u0026gt;i_wb_list))\" en clear_inode: kernel BUG en fs /inodo.c:519! Error interno: Oops - BUG: 0 [#1] M\u00f3dulos SMP vinculados en: Proceso syz-executor.0 (pid: 249, l\u00edmite de pila = 0x00000000a12409d7) CPU: 1 PID: 249 Comm: syz-executor.0 No contaminado 4.19. 95 Nombre de hardware: linux,dummy-virt (DT) pstate: 80000005 (Nzcv daif -PAN -UAO) pc: clear_inode+0x280/0x2a8 lr: clear_inode+0x280/0x2a8 Rastreo de llamadas: clear_inode+0x280/0x2a8 ext4_clear_inode+0x38/0xe8 ext4_free_inode+0x130/0xc68 ext4_evict_inode+0xb20/0xcb8 desalojar+0x1a8/0x3c0 iput+0x344/0x460 do_unlinkat+0x260/0x410 __arm64_sys_unlinkat+0x6c/0xc0 el0_svc_common+0xdc /0x3b0 el0_svc_handler+0xf8/0x160 el0_svc+0x10/0x218 P\u00e1nico del kernel: no se sincroniza : Excepci\u00f3n fatal Un volcado de memoria de este problema muestra que alguien llam\u00f3 a __munlock_pagevec para borrar la p\u00e1gina LRU sin lock_page: do_mmap -\u0026gt; mmap_region -\u0026gt; do_munmap -\u0026gt; munlock_vma_pages_range -\u0026gt; __munlock_pagevec. Como resultado, Memory_failure llamar\u00e1 a identify_page_state sin wait_on_page_writeback. Y despu\u00e9s de truncate_error_page, borre el mapeo de esta p\u00e1gina. end_page_writeback no llamar\u00e1 a sb_clear_inode_writeback para borrar inode-\u0026gt;i_wb_list. \u00a1Eso activar\u00e1 BUG_ON en clear_inode! Solucionarlo marcando tambi\u00e9n PageWriteback para ayudar a determinar si debemos omitir wait_on_page_writeback."
    }
  ],
  "id": "CVE-2021-47256",
  "lastModified": "2025-04-30T15:05:57.057",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-05-21T15:15:14.380",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/28788dc5c70597395b6b451dae4549bbaa8e2c56"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/566345aaabac853aa866f53a219c4b02a6beb527"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/6d210d547adc2218ef8b5bcf23518c5f2f1fd872"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/9e379da727a7a031be9b877cde7b9c34a0fb8306"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/d05267fd27a5c4f54e06daefa3035995d765ca0c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/e8675d291ac007e1c636870db880f837a9ea112a"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/28788dc5c70597395b6b451dae4549bbaa8e2c56"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/566345aaabac853aa866f53a219c4b02a6beb527"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/6d210d547adc2218ef8b5bcf23518c5f2f1fd872"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/9e379da727a7a031be9b877cde7b9c34a0fb8306"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/d05267fd27a5c4f54e06daefa3035995d765ca0c"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/e8675d291ac007e1c636870db880f837a9ea112a"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.