| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net\n\nIn the normal case, when we excute `echo 0 > /proc/fs/nfsd/threads`, the\nfunction `nfs4_state_destroy_net` in `nfs4_state_shutdown_net` will\nrelease all resources related to the hashed `nfs4_client`. If the\n`nfsd_client_shrinker` is running concurrently, the `expire_client`\nfunction will first unhash this client and then destroy it. This can\nlead to the following warning. Additionally, numerous use-after-free\nerrors may occur as well.\n\nnfsd_client_shrinker echo 0 > /proc/fs/nfsd/threads\n\nexpire_client nfsd_shutdown_net\n unhash_client ...\n nfs4_state_shutdown_net\n /* won't wait shrinker exit */\n /* cancel_work(&nn->nfsd_shrinker_work)\n * nfsd_file for this /* won't destroy unhashed client1 */\n * client1 still alive nfs4_state_destroy_net\n */\n\n nfsd_file_cache_shutdown\n /* trigger warning */\n kmem_cache_destroy(nfsd_file_slab)\n kmem_cache_destroy(nfsd_file_mark_slab)\n /* release nfsd_file and mark */\n __destroy_client\n\n====================================================================\nBUG nfsd_file (Not tainted): Objects remaining in nfsd_file on\n__kmem_cache_shutdown()\n--------------------------------------------------------------------\nCPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1\n\n dump_stack_lvl+0x53/0x70\n slab_err+0xb0/0xf0\n __kmem_cache_shutdown+0x15c/0x310\n kmem_cache_destroy+0x66/0x160\n nfsd_file_cache_shutdown+0xac/0x210 [nfsd]\n nfsd_destroy_serv+0x251/0x2a0 [nfsd]\n nfsd_svc+0x125/0x1e0 [nfsd]\n write_threads+0x16a/0x2a0 [nfsd]\n nfsctl_transaction_write+0x74/0xa0 [nfsd]\n vfs_write+0x1a5/0x6d0\n ksys_write+0xc1/0x160\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n====================================================================\nBUG nfsd_file_mark (Tainted: G B W ): Objects remaining\nnfsd_file_mark on __kmem_cache_shutdown()\n--------------------------------------------------------------------\n\n dump_stack_lvl+0x53/0x70\n slab_err+0xb0/0xf0\n __kmem_cache_shutdown+0x15c/0x310\n kmem_cache_destroy+0x66/0x160\n nfsd_file_cache_shutdown+0xc8/0x210 [nfsd]\n nfsd_destroy_serv+0x251/0x2a0 [nfsd]\n nfsd_svc+0x125/0x1e0 [nfsd]\n write_threads+0x16a/0x2a0 [nfsd]\n nfsctl_transaction_write+0x74/0xa0 [nfsd]\n vfs_write+0x1a5/0x6d0\n ksys_write+0xc1/0x160\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nTo resolve this issue, cancel `nfsd_shrinker_work` using synchronous\nmode in nfs4_state_shutdown_net." |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "fs/nfsd/nfs4state.c" |
| ], |
| "versions": [ |
| { |
| "version": "2bbf10861d51dae76c6da7113516d0071c782653", |
| "lessThan": "f67138dd338cb564ade7d3755c8cd4f68b46d397", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "958294a3eb82026fcfff20b0287a90e9c854785e", |
| "lessThan": "5ade4382de16c34d9259cb548f36ec5c4555913c", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "f3ea5ec83d1a827f074b2b660749817e0bf2b23e", |
| "lessThan": "36775f42e039b01d4abe8998bf66771a37d3cdcc", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "7c24fa225081f31bc6da6a355c1ba801889ab29a", |
| "lessThan": "f965dc0f099a54fca100acf6909abe52d0c85328", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "7c24fa225081f31bc6da6a355c1ba801889ab29a", |
| "lessThan": "add1df5eba163a3a6ece11cb85890e2e410baaea", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "7c24fa225081f31bc6da6a355c1ba801889ab29a", |
| "lessThan": "d5ff2fb2e7167e9483846e34148e60c0c016a1f6", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "fs/nfsd/nfs4state.c" |
| ], |
| "versions": [ |
| { |
| "version": "6.2", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "6.2", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.10.233", |
| "lessThanOrEqual": "5.10.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "5.15.176", |
| "lessThanOrEqual": "5.15.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.1.123", |
| "lessThanOrEqual": "6.1.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.6.59", |
| "lessThanOrEqual": "6.6.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.11.6", |
| "lessThanOrEqual": "6.11.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.12", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.10.220", |
| "versionEndExcluding": "5.10.233" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "5.15.154", |
| "versionEndExcluding": "5.15.176" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.1.81", |
| "versionEndExcluding": "6.1.123" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.2", |
| "versionEndExcluding": "6.6.59" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.2", |
| "versionEndExcluding": "6.11.6" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.2", |
| "versionEndExcluding": "6.12" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/f67138dd338cb564ade7d3755c8cd4f68b46d397" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/5ade4382de16c34d9259cb548f36ec5c4555913c" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/36775f42e039b01d4abe8998bf66771a37d3cdcc" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/f965dc0f099a54fca100acf6909abe52d0c85328" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/add1df5eba163a3a6ece11cb85890e2e410baaea" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/d5ff2fb2e7167e9483846e34148e60c0c016a1f6" |
| } |
| ], |
| "title": "nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2024-50121", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
