CVE-2024-36907

In the Linux kernel, the following vulnerability has been resolved:

SUNRPC: add a missing rpc_stat for TCP TLS

Commit 1548036ef120 ("nfs: make the rpcstat per net namespace") added functionality to specify rpcstats function but missed adding it to the TCP TLS functionality. As the result, mounting with xprtsec=tls lead to the following kernel oops.

[ 128.984192] Unable to handle kernel NULL pointer dereference at virtual address 000000000000001c [ 128.985058] Mem abort info: [ 128.985372] ESR = 0x0000000096000004 [ 128.985709] EC = 0x25: DABT (current EL), IL = 32 bits [ 128.986176] SET = 0, FnV = 0 [ 128.986521] EA = 0, S1PTW = 0 [ 128.986804] FSC = 0x04: level 0 translation fault [ 128.987229] Data abort info: [ 128.987597] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 128.988169] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 128.988811] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 128.989302] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000106c84000 [ 128.990048] [000000000000001c] pgd=0000000000000000, p4d=0000000000000000 [ 128.990736] Internal error: Oops: 0000000096000004 [#1] SMP [ 128.991168] Modules linked in: nfslayoutnfsv41files rpcsecgsskrb5 authrpcgss nfsv4 dnsresolver nfs lockd grace netfs uinput dmmod nftfibinet nftfibipv4 nftfibipv6 nftfib nftrejectinet nfrejectipv4 nfrejectipv6 nftreject nftct nftchainnat nfnat nfconntrack nfdefragipv6 nfdefragipv4 rfkill ipset nftables nfnetlink qrtr vsockloopback vmwvsockvirtiotransportcommon vmwvsockvmcitransport vsock sunrpc vfat fat uvcvideo videobuf2vmalloc videobuf2memops uvc videobuf2v4l2 videodev videobuf2common mc vmwvmci xfs libcrc32c e1000e crct10difce ghashce sha2ce vmwgfx nvme sha256arm64 nvmecore srmod cdrom sha1ce drmttmhelper ttm drmkmshelper drm sg fuse [ 128.996466] CPU: 0 PID: 179 Comm: kworker/u4:26 Kdump: loaded Not tainted 6.8.0-rc6+ #12 [ 128.997226] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.21805430.BA64.2305221830 05/22/2023 [ 128.998084] Workqueue: xprtiod xstcptlssetupsocket [sunrpc] [ 128.998701] pstate: 81400005 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 128.999384] pc : callstart+0x74/0x138 [sunrpc] [ 128.999809] lr : _rpcexecute+0xb8/0x3e0 [sunrpc] [ 129.000244] sp : ffff8000832b3a00 [ 129.000508] x29: ffff8000832b3a00 x28: ffff800081ac79c0 x27: ffff800081ac7000 [ 129.001111] x26: 0000000004248060 x25: 0000000000000000 x24: ffff800081596008 [ 129.001757] x23: ffff80007b087240 x22: ffff00009a509d30 x21: 0000000000000000 [ 129.002345] x20: ffff000090075600 x19: ffff00009a509d00 x18: ffffffffffffffff [ 129.002912] x17: 733d4d4554535953 x16: 42555300312d746e x15: ffff8000832b3a88 [ 129.003464] x14: ffffffffffffffff x13: ffff8000832b3a7d x12: 0000000000000008 [ 129.004021] x11: 0101010101010101 x10: ffff8000150cb560 x9 : ffff80007b087c00 [ 129.004577] x8 : ffff00009a509de0 x7 : 0000000000000000 x6 : 00000000be8c4ee3 [ 129.005026] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff000094d56680 [ 129.005425] x2 : ffff80007b0637f8 x1 : ffff000090075600 x0 : ffff00009a509d00 [ 129.005824] Call trace: [ 129.005967] callstart+0x74/0x138 [sunrpc] [ 129.006233] _rpcexecute+0xb8/0x3e0 [sunrpc] [ 129.006506] rpcexecute+0x160/0x1d8 [sunrpc] [ 129.006778] rpcruntask+0x148/0x1f8 [sunrpc] [ 129.007204] tlsprobe+0x80/0xd0 [sunrpc] [ 129.007460] rpcping+0x28/0x80 [sunrpc] [ 129.007715] rpccreatexprt+0x134/0x1a0 [sunrpc] [ 129.007999] rpccreate+0x128/0x2a0 [sunrpc] [ 129.008264] xstcptlssetupsocket+0xdc/0x508 [sunrpc] [ 129.008583] processonework+0x174/0x3c8 [ 129.008813] workerthread+0x2c8/0x3e0 [ 129.009033] kthread+0x100/0x110 [ 129.009225] retfromfork+0x10/0x20 [ 129.009432] Code: f0ffffc2 911fe042 aa1403e1 aa1303e0 (b9401c83)