{"vulnerability": "CVE-2024-45003", "sightings": [{"uuid": "77ff12e0-8d80-45a3-bc57-6c6504eed576", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-45003", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-226-07", "content": "", "creation_timestamp": "2025-08-14T10:00:00.000000Z"}, {"uuid": "45361036-74a8-4385-acb0-8b7f16a10acb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-45003", "type": "seen", "source": "https://t.me/cvedetector/4864", "content": "{\n \"Source\": \"CVE FEED\",\n \"Title\": \"CVE-2024-45003 - Linux Kernel Ext4 and Ubifs INode LRU Isolation Deadlock\", \n \"Content\": \"CVE ID : CVE-2024-45003 \nPublished : Sept. 4, 2024, 8:15 p.m. | 27\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved: \n \nvfs: Don't evict inode under the inode lru traversing context \n \nThe inode reclaiming process(See function prune_icache_sb) collects all \nreclaimable inodes and mark them with I_FREEING flag at first, at that \ntime, other processes will be stuck if they try getting these inodes \n(See function find_inode_fast), then the reclaiming process destroy the \ninodes by function dispose_list(). Some filesystems(eg. ext4 with \nea_inode feature, ubifs with xattr) may do inode lookup in the inode \nevicting callback function, if the inode lookup is operated under the \ninode lru traversing context, deadlock problems may happen. \n \nCase 1: In function ext4_evict_inode(), the ea inode lookup could happen \n if ea_inode feature is enabled, the lookup process will be stuck \n under the evicting context like this: \n \n 1. File A has inode i_reg and an ea inode i_ea \n 2. getfattr(A, xattr_buf) // i_ea is added into lru // lru->i_ea \n 3. Then, following three processes running like this: \n \n PA PB \n echo 2 > /proc/sys/vm/drop_caches \n shrink_slab \n prune_dcache_sb \n // i_reg is added into lru, lru->i_ea->i_reg \n prune_icache_sb \n list_lru_walk_one \n inode_lru_isolate \n i_ea->i_state |= I_FREEING // set inode state \n inode_lru_isolate \n __iget(i_reg) \n spin_unlock(&i_reg->i_lock) \n spin_unlock(lru_lock) \n rm file A \n i_reg->nlink = 0 \n iput(i_reg) // i_reg->nlink is 0, do evict \n ext4_evict_inode \n ext4_xattr_delete_inode \n ext4_xattr_inode_dec_ref_all \n ext4_xattr_inode_iget \n ext4_iget(i_ea->i_ino) \n iget_locked \n find_inode_fast \n __wait_on_freeing_inode(i_ea) ----\u2192 AA deadlock \n dispose_list // cannot be executed by prune_icache_sb \n wake_up_bit(&i_ea->i_state) \n \nCase 2: In deleted inode writing function ubifs_jnl_write_inode(), file \n deleting process holds BASEHD's wbuf->io_mutex while getting the \n xattr inode, which could race with inode reclaiming process(The \n reclaiming process could try locking BASEHD's wbuf->io_mutex in \n inode evicting function), then an ABBA deadlock problem would \n happen as following: \n \n 1. File A has inode ia and a xattr(with inode ixa), regular file B has \n inode ib and a xattr. \n 2. getfattr(A, xattr_buf) // ixa is added into lru // lru->ixa \n 3. Then, following three processes running like this: \n \n PA PB PC \n echo 2 > /proc/sys/vm/drop_caches \n shrink_slab \n prune_dcache_sb \n // ib and ia are added into lru, lru->ixa->ib->ia \n prune_icache_sb \n list_lru_walk_one \n inode_lru_isolate \n ixa->i_state |= I_FREEING // set inode state \n inode_lru_isolate \n __iget(ib) \n spin_unlock(&ib->i_lock) \n spin_unlock(lru_lock) \n rm file B \n ib->nlink = 0 \n rm file A \n iput(ia) \n ubifs_evict_inode(ia) \n ubifs_jnl_delete_inode(ia) \n ubifs_jnl_write_inode(ia) \n make_reservation(BASEHD) // Lock wbuf->io_mutex \n ubifs_iget(ixa->i_ino) \n iget_locked \n find_inode_fast \n __wait_on_freeing_inode(ixa) \n | iput(ib) // ib->nlink is 0, do evict \n | ubifs_evict_inode \n | ubifs_jnl_delete_inode(ib) \n \u2193 [...]", "creation_timestamp": "2024-09-04T22:47:32.000000Z"}]}