medium
5.5
CWE
667
Advisory Published
CVE Published
Updated

CVE-2024-40972: ext4: do not create EA inode under buffer lock

First published: Fri Jul 12 2024(Updated: )

In the Linux kernel, the following vulnerability has been resolved: ext4: do not create EA inode under buffer lock ext4_xattr_set_entry() creates new EA inodes while holding buffer lock on the external xattr block. This is problematic as it nests all the allocation locking (which acquires locks on other buffers) under the buffer lock. This can even deadlock when the filesystem is corrupted and e.g. quota file is setup to contain xattr block as data block. Move the allocation of EA inode out of ext4_xattr_set_entry() into the callers.

Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Affected SoftwareAffected VersionHow to fix
redhat/kernel<6.9.7
6.9.7
redhat/kernel<6.10
6.10
Linux Kernel<6.1.107
Linux Kernel>=6.2<6.6.47
Linux Kernel>=6.7<6.9.7
IBM Security Verify Governance - Identity Manager<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Software Stack<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Virtual Appliance<=ISVG 10.0.2
IBM Security Verify Governance Identity Manager Container<=ISVG 10.0.2
debian/linux<=5.10.223-1<=5.10.234-1
6.1.129-1
6.1.128-1
6.12.21-1
6.12.22-1
debian/linux-6.1
6.1.129-1~deb11u1

Remedy

https://git.kernel.org/stable/c/0752e7fb549d90c33b4d4186f11cfd25a556d1dd

Remedy

https://git.kernel.org/stable/c/0a46ef234756dca04623b7591e8ebb3440622f0b

Remedy

https://git.kernel.org/stable/c/111103907234bffd0a34fba070ad9367de058752

Remedy

https://git.kernel.org/stable/c/737fb7853acd5bc8984f6f42e4bfba3334be8ae1

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is the severity of CVE-2024-40972?

    CVE-2024-40972 has been assigned a medium severity, indicating a moderate impact on systems in which it exists.

  • How do I fix CVE-2024-40972?

    To fix CVE-2024-40972, update the Linux kernel to versions 6.9.7, 6.10, or apply the indicated patches for the affected distributions.

  • Which Linux kernel versions are affected by CVE-2024-40972?

    CVE-2024-40972 affects Linux kernel versions prior to 6.9.7 and certain earlier 6.x versions.

  • Is CVE-2024-40972 exploitable remotely?

    Currently, there is no information indicating that CVE-2024-40972 is remotely exploitable.

  • What type of vulnerability is CVE-2024-40972?

    CVE-2024-40972 is a vulnerability in the ext4 filesystem related to inode handling under buffer locks.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203