GHSA-WRCM-3W95-9W36

Vulnerability from github – Published: 2024-11-05 18:32 – Updated: 2025-11-03 21:31
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net

In the normal case, when we excute echo 0 > /proc/fs/nfsd/threads, the function nfs4_state_destroy_net in nfs4_state_shutdown_net will release all resources related to the hashed nfs4_client. If the nfsd_client_shrinker is running concurrently, the expire_client function will first unhash this client and then destroy it. This can lead to the following warning. Additionally, numerous use-after-free errors may occur as well.

nfsd_client_shrinker echo 0 > /proc/fs/nfsd/threads

expire_client nfsd_shutdown_net unhash_client ... nfs4_state_shutdown_net / won't wait shrinker exit / / cancel_work(&nn->nfsd_shrinker_work) * nfsd_file for this / won't destroy unhashed client1 / * client1 still alive nfs4_state_destroy_net /

                           nfsd_file_cache_shutdown
                             /* trigger warning */
                             kmem_cache_destroy(nfsd_file_slab)
                             kmem_cache_destroy(nfsd_file_mark_slab)

/ release nfsd_file and mark / __destroy_client

==================================================================== BUG nfsd_file (Not tainted): Objects remaining in nfsd_file on __kmem_cache_shutdown()

CPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1

dump_stack_lvl+0x53/0x70 slab_err+0xb0/0xf0 __kmem_cache_shutdown+0x15c/0x310 kmem_cache_destroy+0x66/0x160 nfsd_file_cache_shutdown+0xac/0x210 [nfsd] nfsd_destroy_serv+0x251/0x2a0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e

==================================================================== BUG nfsd_file_mark (Tainted: G B W ): Objects remaining nfsd_file_mark on __kmem_cache_shutdown()

dump_stack_lvl+0x53/0x70 slab_err+0xb0/0xf0 __kmem_cache_shutdown+0x15c/0x310 kmem_cache_destroy+0x66/0x160 nfsd_file_cache_shutdown+0xc8/0x210 [nfsd] nfsd_destroy_serv+0x251/0x2a0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e

To resolve this issue, cancel nfsd_shrinker_work using synchronous mode in nfs4_state_shutdown_net.

Severity ?
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-50121"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-05T18:15:15Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net\n\nIn the normal case, when we excute `echo 0 \u003e /proc/fs/nfsd/threads`, the\nfunction `nfs4_state_destroy_net` in `nfs4_state_shutdown_net` will\nrelease all resources related to the hashed `nfs4_client`. If the\n`nfsd_client_shrinker` is running concurrently, the `expire_client`\nfunction will first unhash this client and then destroy it. This can\nlead to the following warning. Additionally, numerous use-after-free\nerrors may occur as well.\n\nnfsd_client_shrinker         echo 0 \u003e /proc/fs/nfsd/threads\n\nexpire_client                nfsd_shutdown_net\n  unhash_client                ...\n                               nfs4_state_shutdown_net\n                                 /* won\u0027t wait shrinker exit */\n  /*                             cancel_work(\u0026nn-\u003enfsd_shrinker_work)\n   * nfsd_file for this          /* won\u0027t destroy unhashed client1 */\n   * client1 still alive         nfs4_state_destroy_net\n   */\n\n                               nfsd_file_cache_shutdown\n                                 /* trigger warning */\n                                 kmem_cache_destroy(nfsd_file_slab)\n                                 kmem_cache_destroy(nfsd_file_mark_slab)\n  /* release nfsd_file and mark */\n  __destroy_client\n\n====================================================================\nBUG nfsd_file (Not tainted): Objects remaining in nfsd_file on\n__kmem_cache_shutdown()\n--------------------------------------------------------------------\nCPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1\n\n dump_stack_lvl+0x53/0x70\n slab_err+0xb0/0xf0\n __kmem_cache_shutdown+0x15c/0x310\n kmem_cache_destroy+0x66/0x160\n nfsd_file_cache_shutdown+0xac/0x210 [nfsd]\n nfsd_destroy_serv+0x251/0x2a0 [nfsd]\n nfsd_svc+0x125/0x1e0 [nfsd]\n write_threads+0x16a/0x2a0 [nfsd]\n nfsctl_transaction_write+0x74/0xa0 [nfsd]\n vfs_write+0x1a5/0x6d0\n ksys_write+0xc1/0x160\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n====================================================================\nBUG nfsd_file_mark (Tainted: G    B   W         ): Objects remaining\nnfsd_file_mark on __kmem_cache_shutdown()\n--------------------------------------------------------------------\n\n dump_stack_lvl+0x53/0x70\n slab_err+0xb0/0xf0\n __kmem_cache_shutdown+0x15c/0x310\n kmem_cache_destroy+0x66/0x160\n nfsd_file_cache_shutdown+0xc8/0x210 [nfsd]\n nfsd_destroy_serv+0x251/0x2a0 [nfsd]\n nfsd_svc+0x125/0x1e0 [nfsd]\n write_threads+0x16a/0x2a0 [nfsd]\n nfsctl_transaction_write+0x74/0xa0 [nfsd]\n vfs_write+0x1a5/0x6d0\n ksys_write+0xc1/0x160\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nTo resolve this issue, cancel `nfsd_shrinker_work` using synchronous\nmode in nfs4_state_shutdown_net.",
  "id": "GHSA-wrcm-3w95-9w36",
  "modified": "2025-11-03T21:31:31Z",
  "published": "2024-11-05T18:32:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50121"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/36775f42e039b01d4abe8998bf66771a37d3cdcc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5ade4382de16c34d9259cb548f36ec5c4555913c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/add1df5eba163a3a6ece11cb85890e2e410baaea"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d5ff2fb2e7167e9483846e34148e60c0c016a1f6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f67138dd338cb564ade7d3755c8cd4f68b46d397"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f965dc0f099a54fca100acf6909abe52d0c85328"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.