CVE-2024-50121

In the normal case, when we excute echo 0 > /proc/fs/nfsd/threads, the function nfs4_state_destroy_net in nfs4_state_shutdown_net will release all resources related to the hashed nfs4_client. If the nfsd_client_shrinker is running concurrently, the expire_client function will first unhash this client and then destroy it. This can lead to the following warning. Additionally, numerous use-after-free errors may occur as well.

nfsdclientshrinker echo 0 > /proc/fs/nfsd/threads

expireclient nfsdshutdownnet unhashclient ... nfs4stateshutdownnet /* won't wait shrinker exit */ /* cancelwork(&nn->nfsdshrinkerwork) * nfsdfile for this /* won't destroy unhashed client1 */ * client1 still alive nfs4statedestroynet */

                           nfsd_file_cache_shutdown
                             /* trigger warning */
                             kmem_cache_destroy(nfsd_file_slab)
                             kmem_cache_destroy(nfsd_file_mark_slab)

/* release nfsdfile and mark */ _destroy_client

==================================================================== BUG nfsdfile (Not tainted): Objects remaining in nfsdfile on

_kmemcache_shutdown()

CPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1

dumpstacklvl+0x53/0x70 slaberr+0xb0/0xf0 _kmemcacheshutdown+0x15c/0x310 kmemcachedestroy+0x66/0x160 nfsdfilecacheshutdown+0xac/0x210 [nfsd] nfsddestroyserv+0x251/0x2a0 [nfsd] nfsdsvc+0x125/0x1e0 [nfsd] writethreads+0x16a/0x2a0 [nfsd] nfsctltransactionwrite+0x74/0xa0 [nfsd] vfswrite+0x1a5/0x6d0 ksyswrite+0xc1/0x160 dosyscall64+0x5f/0x170 entrySYSCALL64after_hwframe+0x76/0x7e

==================================================================== BUG nfsdfilemark (Tainted: G B W ): Objects remaining

nfsdfilemark on _kmemcache_shutdown()

dumpstacklvl+0x53/0x70 slaberr+0xb0/0xf0 _kmemcacheshutdown+0x15c/0x310 kmemcachedestroy+0x66/0x160 nfsdfilecacheshutdown+0xc8/0x210 [nfsd] nfsddestroyserv+0x251/0x2a0 [nfsd] nfsdsvc+0x125/0x1e0 [nfsd] writethreads+0x16a/0x2a0 [nfsd] nfsctltransactionwrite+0x74/0xa0 [nfsd] vfswrite+0x1a5/0x6d0 ksyswrite+0xc1/0x160 dosyscall64+0x5f/0x170 entrySYSCALL64after_hwframe+0x76/0x7e

To resolve this issue, cancel nfsd_shrinker_work using synchronous mode in nfs4stateshutdown_net.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

2bbf10861d51dae76c6da7113516d0071c782653

Fixed

f67138dd338cb564ade7d3755c8cd4f68b46d397

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

958294a3eb82026fcfff20b0287a90e9c854785e

Fixed

5ade4382de16c34d9259cb548f36ec5c4555913c

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

f3ea5ec83d1a827f074b2b660749817e0bf2b23e

Fixed

36775f42e039b01d4abe8998bf66771a37d3cdcc

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

7c24fa225081f31bc6da6a355c1ba801889ab29a

Fixed

f965dc0f099a54fca100acf6909abe52d0c85328

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

7c24fa225081f31bc6da6a355c1ba801889ab29a

Fixed

add1df5eba163a3a6ece11cb85890e2e410baaea

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

7c24fa225081f31bc6da6a355c1ba801889ab29a

Fixed

d5ff2fb2e7167e9483846e34148e60c0c016a1f6

Affected versions

v5.*

v5.10.220

v5.10.221

v5.10.222

v5.10.223

v5.10.224

v5.10.225

v5.10.226

v5.10.227

v5.10.228

v5.10.229

v5.10.230

v5.10.231

v5.10.232

v5.15.154

v5.15.155

v5.15.156

v5.15.157

v5.15.158

v5.15.159

v5.15.160

v5.15.161

v5.15.162

v5.15.163

v5.15.164

v5.15.165

v5.15.166

v5.15.167

v5.15.168

v5.15.169

v5.15.170

v5.15.171

v5.15.172

v5.15.173

v5.15.174

v5.15.175

v6.*

v6.1

v6.1-rc8

v6.1.100

v6.1.101

v6.1.102

v6.1.103

v6.1.104

v6.1.105

v6.1.106

v6.1.107

v6.1.108

v6.1.109

v6.1.110

v6.1.111

v6.1.112

v6.1.113

v6.1.114

v6.1.115

v6.1.116

v6.1.117

v6.1.118

v6.1.119

v6.1.120

v6.1.121

v6.1.122

v6.1.81

v6.1.82

v6.1.83

v6.1.84

v6.1.85

v6.1.86

v6.1.87

v6.1.88

v6.1.89

v6.1.90

v6.1.91

v6.1.92

v6.1.93

v6.1.94

v6.1.95

v6.1.96

v6.1.97

v6.1.98

v6.1.99

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.11.1

v6.11.2

v6.11.3

v6.11.4

v6.11.5

v6.2

v6.2-rc1

v6.2-rc2

v6.2-rc3

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.24

v6.6.25

v6.6.26

v6.6.27

v6.6.28

v6.6.29

v6.6.3

v6.6.30

v6.6.31

v6.6.32

v6.6.33

v6.6.34

v6.6.35

v6.6.36

v6.6.37

v6.6.38

v6.6.39

v6.6.4

v6.6.40

v6.6.41

v6.6.42

v6.6.43

v6.6.44

v6.6.45

v6.6.46

v6.6.47

v6.6.48

v6.6.49

v6.6.5

v6.6.50

v6.6.51

v6.6.52

v6.6.53

v6.6.54

v6.6.55

v6.6.56

v6.6.57

v6.6.58

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.233

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.176

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.123

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.59

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.11.6