| The vulnerability, identified as CVE-2021-47507, is a startup race condition in the Linux kernel's NFS daemon (nfsd). Specifically, it affects the registration of per-net operations and the rpc_pipefs_event() function. This issue was reintroduced by commit bd5ae9288d64, which changed the order of register_pernet_subsys() and register_cld_notifier(). |
| |
| The race condition can lead to a NULL pointer dereference at virtual address 0000000000000012, causing a kernel crash. The crash occurs when the rpc_pipefs_event() function is called before the nfsd_net_id registration is complete. |
| |
| The issue was fixed by restoring the original order of register_pernet_subsys() and register_cld_notifier(), and adding a WARN_ON() to prevent future regressions. The fixes were introduced in kernel versions 5.4.165, 5.10.85, 5.15.8, and 5.16. |
| |
| The affected files are fs/nfsd/nfs4recover.c and fs/nfsd/nfsctl.c. To mitigate this issue, the Linux kernel CVE team recommends updating to the latest stable kernel version. Individual changes should not be cherry-picked, as they are part of a larger kernel release. |
| |
