CVE-2021-47579 in Linux
Summary
by MITRE • 06/19/2024
In the Linux kernel, the following vulnerability has been resolved:
ovl: fix warning in ovl_create_real()
Syzbot triggered the following warning in ovl_workdir_create() -> ovl_create_real():
if (!err && WARN_ON(!newdentry->d_inode)) {
The reason is that the cgroup2 filesystem returns from mkdir without instantiating the new dentry.
Weird filesystems such as this will be rejected by overlayfs at a later stage during setup, but to prevent such a warning, call ovl_mkdir_real() directly from ovl_workdir_create() and reject this case early.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/04/2025
The vulnerability CVE-2021-47579 represents a warning condition within the Linux kernel's overlay filesystem implementation that arises from improper handling of directory creation operations in specific filesystem contexts. This issue manifests in the ovl_create_real() function where a warning is triggered due to a mismatch between expected and actual dentry instantiation behavior. The warning occurs during the overlay filesystem's work directory creation process, specifically when transitioning from ovl_workdir_create() to ovl_create_real(). The root cause stems from the cgroup2 filesystem's unusual behavior where the mkdir operation completes successfully but fails to instantiate the new dentry object, leaving newdentry->d_inode as NULL. This particular filesystem behavior violates the expected contract that mkdir operations should properly instantiate directory entries, creating a discrepancy that the overlay filesystem's warning mechanism detects.
The technical flaw resides in the overlay filesystem's assumption about filesystem behavior during directory creation operations. When overlayfs attempts to create a real directory in a work directory, it expects that the underlying filesystem will properly instantiate the dentry structure immediately upon completion of the mkdir operation. However, the cgroup2 filesystem returns from mkdir without instantiating the new dentry, which causes the subsequent warning condition to trigger when the code checks for the presence of dentry inode. This pattern of filesystem behavior creates a race condition or inconsistency in the expected filesystem interface, where the overlay filesystem cannot reliably determine whether a directory creation operation was properly completed. The warning mechanism itself is designed to catch such inconsistencies, but the current implementation does not handle this specific edge case gracefully, resulting in unnecessary warning messages that could obscure more serious issues.
The operational impact of this vulnerability primarily affects system administrators and kernel developers who monitor kernel warnings and logs for potential security or stability issues. While this specific vulnerability does not represent a direct security exploit, the warning condition can generate false positives in monitoring systems that treat kernel warnings as potential security indicators. The issue particularly affects systems running with cgroup2 filesystem integration where overlay filesystem operations are performed, potentially leading to increased log noise and reduced signal-to-noise ratio in system monitoring. The warning does not compromise system security or stability directly, but it can create confusion during debugging sessions and may mask other genuine issues in kernel operations. This type of warning condition can also impact automated security scanning tools that flag kernel warnings as potential security concerns, leading to unnecessary investigations and resource allocation.
The recommended mitigation strategy involves modifying the overlay filesystem implementation to handle the specific case of filesystems that do not instantiate dentries immediately upon mkdir completion. The solution requires calling ovl_mkdir_real() directly from ovl_workdir_create() and implementing early rejection of filesystems that exhibit this behavior during the setup phase. This approach prevents the warning from occurring by addressing the root cause at the point of detection rather than allowing the warning to be triggered later in the process. The fix aligns with common security practices for handling filesystem interface inconsistencies and follows the principle of early validation and rejection of problematic cases. From a cybersecurity perspective, this vulnerability demonstrates the importance of robust error handling in kernel subsystems and the need for defensive programming practices when dealing with potentially inconsistent filesystem behaviors. The mitigation approach also reflects standards such as CWE-252, which addresses the issue of unchecked return values and improper error handling in system software components. This type of fix ensures that the overlay filesystem maintains consistent behavior across different underlying filesystems while preventing misleading warning messages that could impact operational security monitoring systems.