CVE-2021-46972 in Linuxinfo

Summary

by MITRE • 02/27/2024

In the Linux kernel, the following vulnerability has been resolved:

ovl: fix leaked dentry

Since commit 6815f479ca90 ("ovl: use only uppermetacopy state in ovl_lookup()"), overlayfs doesn't put temporary dentry when there is a metacopy error, which leads to dentry leaks when shutting down the related superblock:

overlayfs: refusing to follow metacopy origin for (/file0) ... BUG: Dentry (____ptrval____){i=3f33,n=file3} still in use (1) [unmount of overlay overlay]
... WARNING: CPU: 1 PID: 432 at umount_check.cold+0x107/0x14d CPU: 1 PID: 432 Comm: unmount-overlay Not tainted 5.12.0-rc5 #1 ... RIP: 0010:umount_check.cold+0x107/0x14d ... Call Trace: d_walk+0x28c/0x950 ? dentry_lru_isolate+0x2b0/0x2b0 ? __kasan_slab_free+0x12/0x20 do_one_tree+0x33/0x60 shrink_dcache_for_umount+0x78/0x1d0 generic_shutdown_super+0x70/0x440 kill_anon_super+0x3e/0x70 deactivate_locked_super+0xc4/0x160 deactivate_super+0xfa/0x140 cleanup_mnt+0x22e/0x370 __cleanup_mnt+0x1a/0x30 task_work_run+0x139/0x210 do_exit+0xb0c/0x2820 ? __kasan_check_read+0x1d/0x30 ? find_held_lock+0x35/0x160 ? lock_release+0x1b6/0x660 ? mm_update_next_owner+0xa20/0xa20 ? reacquire_held_locks+0x3f0/0x3f0 ? __sanitizer_cov_trace_const_cmp4+0x22/0x30 do_group_exit+0x135/0x380 __do_sys_exit_group.isra.0+0x20/0x20 __x64_sys_exit_group+0x3c/0x50 do_syscall_64+0x45/0x70 entry_SYSCALL_64_after_hwframe+0x44/0xae ... VFS: Busy inodes after unmount of overlay. Self-destruct in 5 seconds. Have a nice day...

This fix has been tested with a syzkaller reproducer.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 06/17/2025

The vulnerability CVE-2021-46972 represents a critical dentry leak issue within the Linux kernel's overlay filesystem implementation. This flaw manifests during overlayfs shutdown operations when the filesystem encounters metacopy errors, leading to persistent dentry references that prevent proper unmounting of the filesystem. The vulnerability stems from a regression introduced in commit 6815f479ca90 where overlayfs was modified to use only uppermetacopy state in ovl_lookup(), inadvertently causing temporary dentries to remain in use when metacopy operations fail. The technical root cause involves improper dentry management where the kernel fails to properly release temporary dentry structures during error conditions, creating a memory leak that accumulates over time and ultimately prevents filesystem unmounting operations.

The operational impact of this vulnerability extends beyond simple resource leakage to potentially cause system instability and denial of service conditions. When overlayfs attempts to shut down, the kernel's umount_check function detects that dentries are still in use, triggering a cascade of error messages including "BUG: Dentry still in use" and "VFS: Busy inodes after unmount". This condition forces the system to issue a self-destruct warning with a five-second countdown, indicating that the filesystem cannot be properly unmounted due to lingering references. The issue affects systems running kernel versions that include the problematic commit, particularly those utilizing overlayfs for container operations, virtualization, or layered filesystem implementations, making it a significant concern for enterprise environments and cloud infrastructure deployments.

The mitigation strategy for CVE-2021-46972 involves applying the kernel patch that corrects the dentry leak by ensuring proper cleanup of temporary dentries when metacopy errors occur. This fix aligns with the established security principle of resource management and proper memory cleanup, addressing a weakness categorized under CWE-404, which deals with improper resource release or unbalanced resource management. The vulnerability also relates to ATT&CK technique T1490, which covers data destruction through resource exhaustion, as the dentry leak could potentially lead to system resource exhaustion if left unaddressed. Organizations should prioritize kernel updates to versions containing the fix, particularly those running containerized environments or systems utilizing overlay filesystems for storage layering operations, as the vulnerability can be exploited through filesystem unmount operations to cause system instability and potential denial of service conditions.

Reservation

02/27/2024

Disclosure

02/27/2024

Moderation

accepted

CPE

ready

EPSS

0.00249

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!