CVE-2021-47635 (GCVE-0-2021-47635)
Vulnerability from cvelistv5
Published
2025-02-26 01:54
Modified
2025-05-04 07:15
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: ubifs: Fix to add refcount once page is set private MM defined the rule [1] very clearly that once page was set with PG_private flag, we should increment the refcount in that page, also main flows like pageout(), migrate_page() will assume there is one additional page reference count if page_has_private() returns true. Otherwise, we may get a BUG in page migration: page:0000000080d05b9d refcount:-1 mapcount:0 mapping:000000005f4d82a8 index:0xe2 pfn:0x14c12 aops:ubifs_file_address_operations [ubifs] ino:8f1 dentry name:"f30e" flags: 0x1fffff80002405(locked|uptodate|owner_priv_1|private|node=0| zone=1|lastcpupid=0x1fffff) page dumped because: VM_BUG_ON_PAGE(page_count(page) != 0) ------------[ cut here ]------------ kernel BUG at include/linux/page_ref.h:184! invalid opcode: 0000 [#1] SMP CPU: 3 PID: 38 Comm: kcompactd0 Not tainted 5.15.0-rc5 RIP: 0010:migrate_page_move_mapping+0xac3/0xe70 Call Trace: ubifs_migrate_page+0x22/0xc0 [ubifs] move_to_new_page+0xb4/0x600 migrate_pages+0x1523/0x1cc0 compact_zone+0x8c5/0x14b0 kcompactd+0x2bc/0x560 kthread+0x18c/0x1e0 ret_from_fork+0x1f/0x30 Before the time, we should make clean a concept, what does refcount means in page gotten from grab_cache_page_write_begin(). There are 2 situations: Situation 1: refcount is 3, page is created by __page_cache_alloc. TYPE_A - the write process is using this page TYPE_B - page is assigned to one certain mapping by calling __add_to_page_cache_locked() TYPE_C - page is added into pagevec list corresponding current cpu by calling lru_cache_add() Situation 2: refcount is 2, page is gotten from the mapping's tree TYPE_B - page has been assigned to one certain mapping TYPE_A - the write process is using this page (by calling page_cache_get_speculative()) Filesystem releases one refcount by calling put_page() in xxx_write_end(), the released refcount corresponds to TYPE_A (write task is using it). If there are any processes using a page, page migration process will skip the page by judging whether expected_page_refs() equals to page refcount. The BUG is caused by following process: PA(cpu 0) kcompactd(cpu 1) compact_zone ubifs_write_begin page_a = grab_cache_page_write_begin add_to_page_cache_lru lru_cache_add pagevec_add // put page into cpu 0's pagevec (refcnf = 3, for page creation process) ubifs_write_end SetPagePrivate(page_a) // doesn't increase page count ! unlock_page(page_a) put_page(page_a) // refcnt = 2 [...] PB(cpu 0) filemap_read filemap_get_pages add_to_page_cache_lru lru_cache_add __pagevec_lru_add // traverse all pages in cpu 0's pagevec __pagevec_lru_add_fn SetPageLRU(page_a) isolate_migratepages isolate_migratepages_block get_page_unless_zero(page_a) // refcnt = 3 list_add(page_a, from_list) migrate_pages(from_list) __unmap_and_move move_to_new_page ubifs_migrate_page(page_a) migrate_page_move_mapping expected_page_refs get 3 (migration[1] + mapping[1] + private[1]) release_pages put_page_testzero(page_a) // refcnt = 3 page_ref_freeze // refcnt = 0 page_ref_dec_and_test(0 - 1 = -1) page_ref_unfreeze VM_BUG_ON_PAGE(-1 != 0, page) UBIFS doesn't increase the page refcount after setting private flag, which leads to page migration task believes the page is not used by any other processes, so the page is migrated. This causes concurrent accessing on page refcount between put_page() called by other process(eg. read process calls lru_cache_add) and page_ref_unfreeze() called by mi ---truncated---
Impacted products
Vendor Product Version
Linux Linux Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d
Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d
Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d
Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d
Version: 1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d
Create a notification for this product.
   Linux Linux Version: 2.6.27
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ubifs/file.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c34ae24a2590fee96a3a7735ba2fa6cc52306221",
              "status": "affected",
              "version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
              "versionType": "git"
            },
            {
              "lessThan": "4f75bab98565afd4f905059c56ec4caba88a7eec",
              "status": "affected",
              "version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
              "versionType": "git"
            },
            {
              "lessThan": "5aaa2c0f0052b02c4a982993d4c5bb68fb7cbe22",
              "status": "affected",
              "version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
              "versionType": "git"
            },
            {
              "lessThan": "fbeb2139eed65e929ce806c6468e6601ade01b1b",
              "status": "affected",
              "version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
              "versionType": "git"
            },
            {
              "lessThan": "3b67db8a6ca83e6ff90b756d3da0c966f61cd37b",
              "status": "affected",
              "version": "1e51764a3c2ac05a23a22b2a95ddee4d9bffb16d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ubifs/file.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.27"
            },
            {
              "lessThan": "2.6.27",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.110",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.16.*",
              "status": "unaffected",
              "version": "5.16.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.110",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.33",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.16.19",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.2",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix to add refcount once page is set private\n\nMM defined the rule [1] very clearly that once page was set with PG_private\nflag, we should increment the refcount in that page, also main flows like\npageout(), migrate_page() will assume there is one additional page\nreference count if page_has_private() returns true. Otherwise, we may\nget a BUG in page migration:\n\n  page:0000000080d05b9d refcount:-1 mapcount:0 mapping:000000005f4d82a8\n  index:0xe2 pfn:0x14c12\n  aops:ubifs_file_address_operations [ubifs] ino:8f1 dentry name:\"f30e\"\n  flags: 0x1fffff80002405(locked|uptodate|owner_priv_1|private|node=0|\n  zone=1|lastcpupid=0x1fffff)\n  page dumped because: VM_BUG_ON_PAGE(page_count(page) != 0)\n  ------------[ cut here ]------------\n  kernel BUG at include/linux/page_ref.h:184!\n  invalid opcode: 0000 [#1] SMP\n  CPU: 3 PID: 38 Comm: kcompactd0 Not tainted 5.15.0-rc5\n  RIP: 0010:migrate_page_move_mapping+0xac3/0xe70\n  Call Trace:\n    ubifs_migrate_page+0x22/0xc0 [ubifs]\n    move_to_new_page+0xb4/0x600\n    migrate_pages+0x1523/0x1cc0\n    compact_zone+0x8c5/0x14b0\n    kcompactd+0x2bc/0x560\n    kthread+0x18c/0x1e0\n    ret_from_fork+0x1f/0x30\n\nBefore the time, we should make clean a concept, what does refcount means\nin page gotten from grab_cache_page_write_begin(). There are 2 situations:\nSituation 1: refcount is 3, page is created by __page_cache_alloc.\n  TYPE_A - the write process is using this page\n  TYPE_B - page is assigned to one certain mapping by calling\n\t   __add_to_page_cache_locked()\n  TYPE_C - page is added into pagevec list corresponding current cpu by\n\t   calling lru_cache_add()\nSituation 2: refcount is 2, page is gotten from the mapping\u0027s tree\n  TYPE_B - page has been assigned to one certain mapping\n  TYPE_A - the write process is using this page (by calling\n\t   page_cache_get_speculative())\nFilesystem releases one refcount by calling put_page() in xxx_write_end(),\nthe released refcount corresponds to TYPE_A (write task is using it). If\nthere are any processes using a page, page migration process will skip the\npage by judging whether expected_page_refs() equals to page refcount.\n\nThe BUG is caused by following process:\n    PA(cpu 0)                           kcompactd(cpu 1)\n\t\t\t\tcompact_zone\nubifs_write_begin\n  page_a = grab_cache_page_write_begin\n    add_to_page_cache_lru\n      lru_cache_add\n        pagevec_add // put page into cpu 0\u0027s pagevec\n  (refcnf = 3, for page creation process)\nubifs_write_end\n  SetPagePrivate(page_a) // doesn\u0027t increase page count !\n  unlock_page(page_a)\n  put_page(page_a)  // refcnt = 2\n\t\t\t\t[...]\n\n    PB(cpu 0)\nfilemap_read\n  filemap_get_pages\n    add_to_page_cache_lru\n      lru_cache_add\n        __pagevec_lru_add // traverse all pages in cpu 0\u0027s pagevec\n\t  __pagevec_lru_add_fn\n\t    SetPageLRU(page_a)\n\t\t\t\tisolate_migratepages\n                                  isolate_migratepages_block\n\t\t\t\t    get_page_unless_zero(page_a)\n\t\t\t\t    // refcnt = 3\n                                      list_add(page_a, from_list)\n\t\t\t\tmigrate_pages(from_list)\n\t\t\t\t  __unmap_and_move\n\t\t\t\t    move_to_new_page\n\t\t\t\t      ubifs_migrate_page(page_a)\n\t\t\t\t        migrate_page_move_mapping\n\t\t\t\t\t  expected_page_refs get 3\n                                  (migration[1] + mapping[1] + private[1])\n\t release_pages\n\t   put_page_testzero(page_a) // refcnt = 3\n                                          page_ref_freeze  // refcnt = 0\n\t     page_ref_dec_and_test(0 - 1 = -1)\n                                          page_ref_unfreeze\n                                            VM_BUG_ON_PAGE(-1 != 0, page)\n\nUBIFS doesn\u0027t increase the page refcount after setting private flag, which\nleads to page migration task believes the page is not used by any other\nprocesses, so the page is migrated. This causes concurrent accessing on\npage refcount between put_page() called by other process(eg. read process\ncalls lru_cache_add) and page_ref_unfreeze() called by mi\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:15:14.250Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c34ae24a2590fee96a3a7735ba2fa6cc52306221"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f75bab98565afd4f905059c56ec4caba88a7eec"
        },
        {
          "url": "https://git.kernel.org/stable/c/5aaa2c0f0052b02c4a982993d4c5bb68fb7cbe22"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbeb2139eed65e929ce806c6468e6601ade01b1b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b67db8a6ca83e6ff90b756d3da0c966f61cd37b"
        }
      ],
      "title": "ubifs: Fix to add refcount once page is set private",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47635",
    "datePublished": "2025-02-26T01:54:09.701Z",
    "dateReserved": "2025-02-26T01:48:21.518Z",
    "dateUpdated": "2025-05-04T07:15:14.250Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…