CVE-2024-50121
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-50121
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50121.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-50121
- Downstream
- Related
- Published
- 2024-11-05T17:10:50Z
- Modified
- 2025-10-17T16:11:09.997947Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
nfsd: cancel nfsdshrinkerwork using sync mode in nfs4stateshutdown_net
In the normal case, when we excute
echo 0 > /proc/fs/nfsd/threads, the functionnfs4_state_destroy_netinnfs4_state_shutdown_netwill release all resources related to the hashednfs4_client. If thenfsd_client_shrinkeris running concurrently, theexpire_clientfunction will first unhash this client and then destroy it. This can lead to the following warning. Additionally, numerous use-after-free errors may occur as well.nfsdclientshrinker echo 0 > /proc/fs/nfsd/threads
expireclient nfsdshutdownnet unhashclient ... nfs4stateshutdownnet /* won't wait shrinker exit */ /* cancelwork(&nn->nfsdshrinkerwork) * nfsdfile for this /* won't destroy unhashed client1 */ * client1 still alive nfs4statedestroynet */
nfsd_file_cache_shutdown /* trigger warning */ kmem_cache_destroy(nfsd_file_slab) kmem_cache_destroy(nfsd_file_mark_slab)/* release nfsdfile and mark */ _destroy_client
==================================================================== BUG nfsdfile (Not tainted): Objects remaining in nfsdfile on
_kmemcache_shutdown()
CPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1
dumpstacklvl+0x53/0x70 slaberr+0xb0/0xf0 _kmemcacheshutdown+0x15c/0x310 kmemcachedestroy+0x66/0x160 nfsdfilecacheshutdown+0xac/0x210 [nfsd] nfsddestroyserv+0x251/0x2a0 [nfsd] nfsdsvc+0x125/0x1e0 [nfsd] writethreads+0x16a/0x2a0 [nfsd] nfsctltransactionwrite+0x74/0xa0 [nfsd] vfswrite+0x1a5/0x6d0 ksyswrite+0xc1/0x160 dosyscall64+0x5f/0x170 entrySYSCALL64after_hwframe+0x76/0x7e
==================================================================== BUG nfsdfilemark (Tainted: G B W ): Objects remaining
nfsdfilemark on _kmemcache_shutdown()
dumpstacklvl+0x53/0x70 slaberr+0xb0/0xf0 _kmemcacheshutdown+0x15c/0x310 kmemcachedestroy+0x66/0x160 nfsdfilecacheshutdown+0xc8/0x210 [nfsd] nfsddestroyserv+0x251/0x2a0 [nfsd] nfsdsvc+0x125/0x1e0 [nfsd] writethreads+0x16a/0x2a0 [nfsd] nfsctltransactionwrite+0x74/0xa0 [nfsd] vfswrite+0x1a5/0x6d0 ksyswrite+0xc1/0x160 dosyscall64+0x5f/0x170 entrySYSCALL64after_hwframe+0x76/0x7e
To resolve this issue, cancel
nfsd_shrinker_workusing synchronous mode in nfs4stateshutdown_net. - References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/36775f42e039b01d4abe8998bf66771a37d3cdcc
- https://git.kernel.org/stable/c/5ade4382de16c34d9259cb548f36ec5c4555913c
- https://git.kernel.org/stable/c/add1df5eba163a3a6ece11cb85890e2e410baaea
- https://git.kernel.org/stable/c/d5ff2fb2e7167e9483846e34148e60c0c016a1f6
- https://git.kernel.org/stable/c/f67138dd338cb564ade7d3755c8cd4f68b46d397
- https://git.kernel.org/stable/c/f965dc0f099a54fca100acf6909abe52d0c85328
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced2bbf10861d51dae76c6da7113516d0071c782653Fixedf67138dd338cb564ade7d3755c8cd4f68b46d397
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced958294a3eb82026fcfff20b0287a90e9c854785eFixed5ade4382de16c34d9259cb548f36ec5c4555913c
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedf3ea5ec83d1a827f074b2b660749817e0bf2b23eFixed36775f42e039b01d4abe8998bf66771a37d3cdcc
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced7c24fa225081f31bc6da6a355c1ba801889ab29aFixedf965dc0f099a54fca100acf6909abe52d0c85328
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced7c24fa225081f31bc6da6a355c1ba801889ab29aFixedadd1df5eba163a3a6ece11cb85890e2e410baaea
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced7c24fa225081f31bc6da6a355c1ba801889ab29aFixedd5ff2fb2e7167e9483846e34148e60c0c016a1f6
Affected versions
v5.*
v6.*
Database specific
vanir_signatures
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f965dc0f099a54fca100acf6909abe52d0c85328",
"id": "CVE-2024-50121-1d25a42e",
"digest": {
"line_hashes": [
"169545521002908396830072499828180045779",
"100586876307347461148900291953824179075",
"247105504362864633066132704492653056555",
"34484962630249483339394985565885139520"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "fs/nfsd/nfs4state.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@add1df5eba163a3a6ece11cb85890e2e410baaea",
"id": "CVE-2024-50121-1e6194cc",
"digest": {
"line_hashes": [
"309128401169417009582413092835631281921",
"202892085294998761872815655356407253968",
"53607418604884438757545296437553190872",
"34484962630249483339394985565885139520"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "fs/nfsd/nfs4state.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f67138dd338cb564ade7d3755c8cd4f68b46d397",
"id": "CVE-2024-50121-1f073223",
"digest": {
"line_hashes": [
"169545521002908396830072499828180045779",
"100586876307347461148900291953824179075",
"247105504362864633066132704492653056555",
"34484962630249483339394985565885139520"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "fs/nfsd/nfs4state.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@36775f42e039b01d4abe8998bf66771a37d3cdcc",
"id": "CVE-2024-50121-9799dbe4",
"digest": {
"line_hashes": [
"169545521002908396830072499828180045779",
"100586876307347461148900291953824179075",
"247105504362864633066132704492653056555",
"34484962630249483339394985565885139520"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "fs/nfsd/nfs4state.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5ade4382de16c34d9259cb548f36ec5c4555913c",
"id": "CVE-2024-50121-a8771dc0",
"digest": {
"line_hashes": [
"169545521002908396830072499828180045779",
"100586876307347461148900291953824179075",
"247105504362864633066132704492653056555",
"34484962630249483339394985565885139520"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "fs/nfsd/nfs4state.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d5ff2fb2e7167e9483846e34148e60c0c016a1f6",
"id": "CVE-2024-50121-f18f598f",
"digest": {
"line_hashes": [
"309128401169417009582413092835631281921",
"202892085294998761872815655356407253968",
"53607418604884438757545296437553190872",
"34484962630249483339394985565885139520"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "fs/nfsd/nfs4state.c"
}
}
]
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.10.233
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.176
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.123
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.59
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.11.6