CVE-2024-50121

In the normal case, when we excute echo 0 > /proc/fs/nfsd/threads, the function nfs4_state_destroy_net in nfs4_state_shutdown_net will release all resources related to the hashed nfs4_client. If the nfsd_client_shrinker is running concurrently, the expire_client function will first unhash this client and then destroy it. This can lead to the following warning. Additionally, numerous use-after-free errors may occur as well.

nfsdclientshrinker echo 0 > /proc/fs/nfsd/threads

expireclient nfsdshutdownnet unhashclient ... nfs4stateshutdownnet /* won't wait shrinker exit / / cancelwork(&nn->nfsdshrinkerwork) * nfsdfile for this /* won't destroy unhashed client1 */ * client1 still alive nfs4statedestroynet */

                           nfsd_file_cache_shutdown
                             /* trigger warning */
                             kmem_cache_destroy(nfsd_file_slab)
                             kmem_cache_destroy(nfsd_file_mark_slab)

/* release nfsd_file and mark */ _destroyclient

==================================================================== BUG nfsdfile (Not tainted): Objects remaining in nfsdfile on

__kmemcacheshutdown()

CPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1

dumpstacklvl+0x53/0x70 slab_err+0xb0/0xf0 _kmemcacheshutdown+0x15c/0x310 kmemcachedestroy+0x66/0x160 nfsdfilecacheshutdown+0xac/0x210 [nfsd] nfsddestroyserv+0x251/0x2a0 [nfsd] nfsdsvc+0x125/0x1e0 [nfsd] writethreads+0x16a/0x2a0 [nfsd] nfsctltransactionwrite+0x74/0xa0 [nfsd] vfswrite+0x1a5/0x6d0 ksyswrite+0xc1/0x160 dosyscall64+0x5f/0x170 entrySYSCALL64afterhwframe+0x76/0x7e

==================================================================== BUG nfsdfilemark (Tainted: G B W ): Objects remaining

nfsdfilemark on __kmemcacheshutdown()

dumpstacklvl+0x53/0x70 slab_err+0xb0/0xf0 _kmemcacheshutdown+0x15c/0x310 kmemcachedestroy+0x66/0x160 nfsdfilecacheshutdown+0xc8/0x210 [nfsd] nfsddestroyserv+0x251/0x2a0 [nfsd] nfsdsvc+0x125/0x1e0 [nfsd] writethreads+0x16a/0x2a0 [nfsd] nfsctltransactionwrite+0x74/0xa0 [nfsd] vfswrite+0x1a5/0x6d0 ksyswrite+0xc1/0x160 dosyscall64+0x5f/0x170 entrySYSCALL64afterhwframe+0x76/0x7e

To resolve this issue, cancel nfsd_shrinker_work using synchronous mode in nfs4stateshutdown_net.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50121.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

2bbf10861d51dae76c6da7113516d0071c782653

Fixed

f67138dd338cb564ade7d3755c8cd4f68b46d397

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

958294a3eb82026fcfff20b0287a90e9c854785e

Fixed

5ade4382de16c34d9259cb548f36ec5c4555913c

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

f3ea5ec83d1a827f074b2b660749817e0bf2b23e

Fixed

36775f42e039b01d4abe8998bf66771a37d3cdcc

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

7c24fa225081f31bc6da6a355c1ba801889ab29a

Fixed

f965dc0f099a54fca100acf6909abe52d0c85328

Fixed

add1df5eba163a3a6ece11cb85890e2e410baaea

Fixed

d5ff2fb2e7167e9483846e34148e60c0c016a1f6

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50121.json"