blob: 93bb81a0cfc5bf3dced034ddec5f5e057433e623 [file] [log] [blame]
The vulnerability, identified as CVE-2021-47507, is a startup race condition in the Linux kernel's NFS daemon (nfsd). Specifically, it affects the registration of per-net operations and the rpc_pipefs_event() function. This issue was reintroduced by commit bd5ae9288d64, which changed the order of register_pernet_subsys() and register_cld_notifier().
The race condition can lead to a NULL pointer dereference at virtual address 0000000000000012, causing a kernel crash. The crash occurs when the rpc_pipefs_event() function is called before the nfsd_net_id registration is complete.
The issue was fixed by restoring the original order of register_pernet_subsys() and register_cld_notifier(), and adding a WARN_ON() to prevent future regressions. The fixes were introduced in kernel versions 5.4.165, 5.10.85, 5.15.8, and 5.16.
The affected files are fs/nfsd/nfs4recover.c and fs/nfsd/nfsctl.c. To mitigate this issue, the Linux kernel CVE team recommends updating to the latest stable kernel version. Individual changes should not be cherry-picked, as they are part of a larger kernel release.