[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2021-47635":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T02:53:27.892Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":17,"related":18,"reserved_at":9,"published_at":19,"modified_at":20,"state":9,"summary":21,"references_raw":23,"kevs":30,"epss":9,"epss_history":31,"metrics":32,"affected":39},"DEBIAN-CVE-2021-47635","In the Linux kernel, the following vulnerability has been resolved:  ubifs: Fix to add refcount once page is set private  MM defined the rule [1] very clearly that once page was set with PG_private flag, we should increment the refcount in that page, also main flows like pageout(), migrate_page() will assume there is one additional page reference count if page_has_private() returns true. Otherwise, we may get a BUG in page migration:    page:0000000080d05b9d refcount:-1 mapcount:0 mapping:000000005f4d82a8   index:0xe2 pfn:0x14c12   aops:ubifs_file_address_operations [ubifs] ino:8f1 dentry name:\"f30e\"   flags: 0x1fffff80002405(locked|uptodate|owner_priv_1|private|node=0|   zone=1|lastcpupid=0x1fffff)   page dumped because: VM_BUG_ON_PAGE(page_count(page) != 0)   ------------[ cut here ]------------   kernel BUG at include/linux/page_ref.h:184!   invalid opcode: 0000 [#1] SMP   CPU: 3 PID: 38 Comm: kcompactd0 Not tainted 5.15.0-rc5   RIP: 0010:migrate_page_move_mapping+0xac3/0xe70   Call Trace:     ubifs_migrate_page+0x22/0xc0 [ubifs]     move_to_new_page+0xb4/0x600     migrate_pages+0x1523/0x1cc0     compact_zone+0x8c5/0x14b0     kcompactd+0x2bc/0x560     kthread+0x18c/0x1e0     ret_from_fork+0x1f/0x30  Before the time, we should make clean a concept, what does refcount means in page gotten from grab_cache_page_write_begin(). There are 2 situations: Situation 1: refcount is 3, page is created by __page_cache_alloc.   TYPE_A - the write process is using this page   TYPE_B - page is assigned to one certain mapping by calling \t   __add_to_page_cache_locked()   TYPE_C - page is added into pagevec list corresponding current cpu by \t   calling lru_cache_add() Situation 2: refcount is 2, page is gotten from the mapping's tree   TYPE_B - page has been assigned to one certain mapping   TYPE_A - the write process is using this page (by calling \t   page_cache_get_speculative()) Filesystem releases one refcount by calling put_page() in xxx_write_end(), the released refcount corresponds to TYPE_A (write task is using it). If there are any processes using a page, page migration process will skip the page by judging whether expected_page_refs() equals to page refcount.  The BUG is caused by following process:     PA(cpu 0)                           kcompactd(cpu 1) \t\t\t\tcompact_zone ubifs_write_begin   page_a = grab_cache_page_write_begin     add_to_page_cache_lru       lru_cache_add         pagevec_add // put page into cpu 0's pagevec   (refcnf = 3, for page creation process) ubifs_write_end   SetPagePrivate(page_a) // doesn't increase page count !   unlock_page(page_a)   put_page(page_a)  // refcnt = 2 \t\t\t\t[...]      PB(cpu 0) filemap_read   filemap_get_pages     add_to_page_cache_lru       lru_cache_add         __pagevec_lru_add // traverse all pages in cpu 0's pagevec \t  __pagevec_lru_add_fn \t    SetPageLRU(page_a) \t\t\t\tisolate_migratepages                                   isolate_migratepages_block \t\t\t\t    get_page_unless_zero(page_a) \t\t\t\t    // refcnt = 3                                       list_add(page_a, from_list) \t\t\t\tmigrate_pages(from_list) \t\t\t\t  __unmap_and_move \t\t\t\t    move_to_new_page \t\t\t\t      ubifs_migrate_page(page_a) \t\t\t\t        migrate_page_move_mapping \t\t\t\t\t  expected_page_refs get 3                                   (migration[1] + mapping[1] + private[1]) \t release_pages \t   put_page_testzero(page_a) // refcnt = 3                                           page_ref_freeze  // refcnt = 0 \t     page_ref_dec_and_test(0 - 1 = -1)                                           page_ref_unfreeze                                             VM_BUG_ON_PAGE(-1 != 0, page)  UBIFS doesn't increase the page refcount after setting private flag, which leads to page migration task believes the page is not used by any other processes, so the page is migrated. This causes concurrent accessing on page refcount between put_page() called by other process(eg. read process calls lru_cache_add) and page_ref_unfreeze() called by mi ---truncated---",null,[],[],[],[14],{"_key":15},"CVE-2021-47635",[],[],[],"2025-02-26T06:37:05.280Z","2026-04-28T20:23:34.046548Z",{"cisa_kev":22,"cisa_ransomware":22,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[24],{"url":25,"sources":26,"tags":28},"https://security-tracker.debian.org/tracker/CVE-2021-47635",[27],"osv_debian",[29],"Advisory",[],[],[33],{"source":27,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":34,"cvss_v4_0":9},{"baseScore":35,"baseSeverity":9,"vectorString":36,"impactScore":37,"exploitabilityScore":38},5.5,"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",6,4.6,[40],{"ecosystem":41,"name":42,"vendor":43,"product":42,"cpe_part":9,"purl_type":44,"purl_namespace":43,"purl_name":42,"source":9,"versions":45},"Debian","linux","debian","deb",[46,52,55,56],{"version":47,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":50,"version_end_type":51,"fixed_in":9},"lt5_10_113_1",true,"ecosystem","5.10.113-1","excluding",{"version":53,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":54,"version_end_type":51,"fixed_in":9},"lt5_17_3_1","5.17.3-1",{"version":53,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":54,"version_end_type":51,"fixed_in":9},{"version":53,"is_range":48,"range_type":49,"version_start":9,"version_start_type":9,"version_end":54,"version_end_type":51,"fixed_in":9}]