CVE-2024-50121

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net<br /> <br /> In the normal case, when we excute `echo 0 &gt; /proc/fs/nfsd/threads`, the<br /> function `nfs4_state_destroy_net` in `nfs4_state_shutdown_net` will<br /> release all resources related to the hashed `nfs4_client`. If the<br /> `nfsd_client_shrinker` is running concurrently, the `expire_client`<br /> function will first unhash this client and then destroy it. This can<br /> lead to the following warning. Additionally, numerous use-after-free<br /> errors may occur as well.<br /> <br /> nfsd_client_shrinker echo 0 &gt; /proc/fs/nfsd/threads<br /> <br /> expire_client nfsd_shutdown_net<br /> unhash_client ...<br /> nfs4_state_shutdown_net<br /> /* won&amp;#39;t wait shrinker exit */<br /> /* cancel_work(&amp;nn-&gt;nfsd_shrinker_work)<br /> * nfsd_file for this /* won&amp;#39;t destroy unhashed client1 */<br /> * client1 still alive nfs4_state_destroy_net<br /> */<br /> <br /> nfsd_file_cache_shutdown<br /> /* trigger warning */<br /> kmem_cache_destroy(nfsd_file_slab)<br /> kmem_cache_destroy(nfsd_file_mark_slab)<br /> /* release nfsd_file and mark */<br /> __destroy_client<br /> <br /> ====================================================================<br /> BUG nfsd_file (Not tainted): Objects remaining in nfsd_file on<br /> __kmem_cache_shutdown()<br /> --------------------------------------------------------------------<br /> CPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1<br /> <br /> dump_stack_lvl+0x53/0x70<br /> slab_err+0xb0/0xf0<br /> __kmem_cache_shutdown+0x15c/0x310<br /> kmem_cache_destroy+0x66/0x160<br /> nfsd_file_cache_shutdown+0xac/0x210 [nfsd]<br /> nfsd_destroy_serv+0x251/0x2a0 [nfsd]<br /> nfsd_svc+0x125/0x1e0 [nfsd]<br /> write_threads+0x16a/0x2a0 [nfsd]<br /> nfsctl_transaction_write+0x74/0xa0 [nfsd]<br /> vfs_write+0x1a5/0x6d0<br /> ksys_write+0xc1/0x160<br /> do_syscall_64+0x5f/0x170<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> ====================================================================<br /> BUG nfsd_file_mark (Tainted: G B W ): Objects remaining<br /> nfsd_file_mark on __kmem_cache_shutdown()<br /> --------------------------------------------------------------------<br /> <br /> dump_stack_lvl+0x53/0x70<br /> slab_err+0xb0/0xf0<br /> __kmem_cache_shutdown+0x15c/0x310<br /> kmem_cache_destroy+0x66/0x160<br /> nfsd_file_cache_shutdown+0xc8/0x210 [nfsd]<br /> nfsd_destroy_serv+0x251/0x2a0 [nfsd]<br /> nfsd_svc+0x125/0x1e0 [nfsd]<br /> write_threads+0x16a/0x2a0 [nfsd]<br /> nfsctl_transaction_write+0x74/0xa0 [nfsd]<br /> vfs_write+0x1a5/0x6d0<br /> ksys_write+0xc1/0x160<br /> do_syscall_64+0x5f/0x170<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> To resolve this issue, cancel `nfsd_shrinker_work` using synchronous<br /> mode in nfs4_state_shutdown_net.