{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-40998","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-07-12T12:17:45.607Z","datePublished":"2024-07-12T12:37:39.823Z","dateUpdated":"2026-01-05T10:37:15.173Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-01-05T10:37:15.173Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()\n\nIn the following concurrency we will access the uninitialized rs->lock:\n\next4_fill_super\n  ext4_register_sysfs\n   // sysfs registered msg_ratelimit_interval_ms\n                             // Other processes modify rs->interval to\n                             // non-zero via msg_ratelimit_interval_ms\n  ext4_orphan_cleanup\n    ext4_msg(sb, KERN_INFO, \"Errors on filesystem, \"\n      __ext4_msg\n        ___ratelimit(&(EXT4_SB(sb)->s_msg_ratelimit_state)\n          if (!rs->interval)  // do nothing if interval is 0\n            return 1;\n          raw_spin_trylock_irqsave(&rs->lock, flags)\n            raw_spin_trylock(lock)\n              _raw_spin_trylock\n                __raw_spin_trylock\n                  spin_acquire(&lock->dep_map, 0, 1, _RET_IP_)\n                    lock_acquire\n                      __lock_acquire\n                        register_lock_class\n                          assign_lock_key\n                            dump_stack();\n  ratelimit_state_init(&sbi->s_msg_ratelimit_state, 5 * HZ, 10);\n    raw_spin_lock_init(&rs->lock);\n    // init rs->lock here\n\nand get the following dump_stack:\n\n=========================================================\nINFO: trying to register non-static key.\nThe code is fine but needs lockdep annotation, or maybe\nyou didn't initialize this object before use?\nturning off the locking correctness validator.\nCPU: 12 PID: 753 Comm: mount Tainted: G E 6.7.0-rc6-next-20231222 #504\n[...]\nCall Trace:\n dump_stack_lvl+0xc5/0x170\n dump_stack+0x18/0x30\n register_lock_class+0x740/0x7c0\n __lock_acquire+0x69/0x13a0\n lock_acquire+0x120/0x450\n _raw_spin_trylock+0x98/0xd0\n ___ratelimit+0xf6/0x220\n __ext4_msg+0x7f/0x160 [ext4]\n ext4_orphan_cleanup+0x665/0x740 [ext4]\n __ext4_fill_super+0x21ea/0x2b10 [ext4]\n ext4_fill_super+0x14d/0x360 [ext4]\n[...]\n=========================================================\n\nNormally interval is 0 until s_msg_ratelimit_state is initialized, so\n___ratelimit() does nothing. But registering sysfs precedes initializing\nrs->lock, so it is possible to change rs->interval to a non-zero value\nvia the msg_ratelimit_interval_ms interface of sysfs while rs->lock is\nuninitialized, and then a call to ext4_msg triggers the problem by\naccessing an uninitialized rs->lock. Therefore register sysfs after all\ninitializations are complete to avoid such problems."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ext4/super.c"],"versions":[{"version":"efbed4dc5857f845d787e406ce85097d1ccc5c4f","lessThan":"23afcd52af06880c6c913a0ad99022b8937b575c","status":"affected","versionType":"git"},{"version":"efbed4dc5857f845d787e406ce85097d1ccc5c4f","lessThan":"645267906944a9aeec9d5c56ee24a9096a288798","status":"affected","versionType":"git"},{"version":"efbed4dc5857f845d787e406ce85097d1ccc5c4f","lessThan":"b4b4fda34e535756f9e774fb2d09c4537b7dfd1c","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ext4/super.c"],"versions":[{"version":"3.13","status":"affected"},{"version":"0","lessThan":"3.13","status":"unaffected","versionType":"semver"},{"version":"6.6.36","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.9.7","lessThanOrEqual":"6.9.*","status":"unaffected","versionType":"semver"},{"version":"6.10","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"6.6.36"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"6.9.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.13","versionEndExcluding":"6.10"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/23afcd52af06880c6c913a0ad99022b8937b575c"},{"url":"https://git.kernel.org/stable/c/645267906944a9aeec9d5c56ee24a9096a288798"},{"url":"https://git.kernel.org/stable/c/b4b4fda34e535756f9e774fb2d09c4537b7dfd1c"}],"title":"ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T04:39:56.156Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/23afcd52af06880c6c913a0ad99022b8937b575c","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/645267906944a9aeec9d5c56ee24a9096a288798","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/b4b4fda34e535756f9e774fb2d09c4537b7dfd1c","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-40998","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-09-10T17:01:25.647023Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-11T17:34:19.460Z"}}]}}