CVE-2022-50241

In the Linux kernel, the following vulnerability has been resolved:

NFSD: fix use-after-free on source server when doing inter-server copy

Use-after-free occurred when the laundromat tried to free expired cpntfstate entry on the s2scpstateids list after inter-server copy completed. The sccp_list that the expired copy state was inserted on was already freed.

When COPY completes, the Linux client normally sends LOCKU(lockstate x), FREESTATEID(lockstate x) and CLOSE(openstate y) to the source server. The nfs4putstid call from nfsd4freestateid cleans up the copy state from the s2scpstateids list before freeing the lock state's stid.

However, sometimes the CLOSE was sent before the FREESTATEID request. When this happens, the nfsd4closeopenstateid call from nfsd4close frees all lock states on its stlocks list without cleaning up the copy state on the sccplist list. When the time the FREESTATEID arrives the server returns BADSTATEID since the lock state was freed. This causes the use-after-free error to occur when the laundromat tries to free the expired cpntf_state.

This patch adds a call to nfs4freecpntfstatelist in nfsd4closeopenstateid to clean up the copy state before calling freeolstateid_reaplist to free the lock state's stid on the reaplist.