| The vulnerability, tracked as CVE-2021-47506, is a use-after-free issue in the Linux kernel's NFS daemon (nfsd) due to a delegation race. The problem occurs when a delegation break arrives after vfs_setlease has been called, triggering a callback that immediately adds the delegation to del_recall_lru. If the delegation is not hashed before exiting nfs4_set_delegation, it will be freed as soon as the callback is done with it, without being removed from del_recall_lru. |
| |
| This can lead to symptoms such as use-after-free or list corruption warnings, typically observed in the laundromat thread. The issue may have been present since the beginning of NFS delegation support, but was likely made easier to trigger by a commit introducing read delegations to clients holding writes (aba2072f4523). |
| |
| The vulnerability has been fixed in various kernel versions, including 4.4.296, 4.9.294, 4.14.259, 4.19.222, 5.4.168, 5.10.85, 5.15.8, and 5.16. The affected file is fs/nfsd/nfs4state.c. The Linux kernel CVE team recommends updating to the latest stable kernel version to resolve this issue, rather than cherry-picking individual commits. |
| |
