GHSA-P52G-5QGX-4CRW

Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2025-04-30 15:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/memory-failure: make sure wait for page writeback in memory_failure

Our syzkaller trigger the "BUG_ON(!list_empty(&inode->i_wb_list))" in clear_inode:

kernel BUG at fs/inode.c:519! Internal error: Oops - BUG: 0 [#1] SMP Modules linked in: Process syz-executor.0 (pid: 249, stack limit = 0x00000000a12409d7) CPU: 1 PID: 249 Comm: syz-executor.0 Not tainted 4.19.95 Hardware name: linux,dummy-virt (DT) pstate: 80000005 (Nzcv daif -PAN -UAO) pc : clear_inode+0x280/0x2a8 lr : clear_inode+0x280/0x2a8 Call trace: clear_inode+0x280/0x2a8 ext4_clear_inode+0x38/0xe8 ext4_free_inode+0x130/0xc68 ext4_evict_inode+0xb20/0xcb8 evict+0x1a8/0x3c0 iput+0x344/0x460 do_unlinkat+0x260/0x410 __arm64_sys_unlinkat+0x6c/0xc0 el0_svc_common+0xdc/0x3b0 el0_svc_handler+0xf8/0x160 el0_svc+0x10/0x218 Kernel panic - not syncing: Fatal exception

A crash dump of this problem show that someone called __munlock_pagevec to clear page LRU without lock_page: do_mmap -> mmap_region -> do_munmap -> munlock_vma_pages_range -> __munlock_pagevec.

As a result memory_failure will call identify_page_state without wait_on_page_writeback. And after truncate_error_page clear the mapping of this page. end_page_writeback won't call sb_clear_inode_writeback to clear inode->i_wb_list. That will trigger BUG_ON in clear_inode!

Fix it by checking PageWriteback too to help determine should we skip wait_on_page_writeback.

Severity ?
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2021-47256"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:14Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: make sure wait for page writeback in memory_failure\n\nOur syzkaller trigger the \"BUG_ON(!list_empty(\u0026inode-\u003ei_wb_list))\" in\nclear_inode:\n\n  kernel BUG at fs/inode.c:519!\n  Internal error: Oops - BUG: 0 [#1] SMP\n  Modules linked in:\n  Process syz-executor.0 (pid: 249, stack limit = 0x00000000a12409d7)\n  CPU: 1 PID: 249 Comm: syz-executor.0 Not tainted 4.19.95\n  Hardware name: linux,dummy-virt (DT)\n  pstate: 80000005 (Nzcv daif -PAN -UAO)\n  pc : clear_inode+0x280/0x2a8\n  lr : clear_inode+0x280/0x2a8\n  Call trace:\n    clear_inode+0x280/0x2a8\n    ext4_clear_inode+0x38/0xe8\n    ext4_free_inode+0x130/0xc68\n    ext4_evict_inode+0xb20/0xcb8\n    evict+0x1a8/0x3c0\n    iput+0x344/0x460\n    do_unlinkat+0x260/0x410\n    __arm64_sys_unlinkat+0x6c/0xc0\n    el0_svc_common+0xdc/0x3b0\n    el0_svc_handler+0xf8/0x160\n    el0_svc+0x10/0x218\n  Kernel panic - not syncing: Fatal exception\n\nA crash dump of this problem show that someone called __munlock_pagevec\nto clear page LRU without lock_page: do_mmap -\u003e mmap_region -\u003e do_munmap\n-\u003e munlock_vma_pages_range -\u003e __munlock_pagevec.\n\nAs a result memory_failure will call identify_page_state without\nwait_on_page_writeback.  And after truncate_error_page clear the mapping\nof this page.  end_page_writeback won\u0027t call sb_clear_inode_writeback to\nclear inode-\u003ei_wb_list.  That will trigger BUG_ON in clear_inode!\n\nFix it by checking PageWriteback too to help determine should we skip\nwait_on_page_writeback.",
  "id": "GHSA-p52g-5qgx-4crw",
  "modified": "2025-04-30T15:30:43Z",
  "published": "2024-05-21T15:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47256"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/28788dc5c70597395b6b451dae4549bbaa8e2c56"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/566345aaabac853aa866f53a219c4b02a6beb527"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6d210d547adc2218ef8b5bcf23518c5f2f1fd872"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9e379da727a7a031be9b877cde7b9c34a0fb8306"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d05267fd27a5c4f54e06daefa3035995d765ca0c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e8675d291ac007e1c636870db880f837a9ea112a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.