CVE-2022-50241

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFSD: fix use-after-free on source server when doing inter-server copy<br /> <br /> Use-after-free occurred when the laundromat tried to free expired<br /> cpntf_state entry on the s2s_cp_stateids list after inter-server<br /> copy completed. The sc_cp_list that the expired copy state was<br /> inserted on was already freed.<br /> <br /> When COPY completes, the Linux client normally sends LOCKU(lock_state x),<br /> FREE_STATEID(lock_state x) and CLOSE(open_state y) to the source server.<br /> The nfs4_put_stid call from nfsd4_free_stateid cleans up the copy state<br /> from the s2s_cp_stateids list before freeing the lock state&amp;#39;s stid.<br /> <br /> However, sometimes the CLOSE was sent before the FREE_STATEID request.<br /> When this happens, the nfsd4_close_open_stateid call from nfsd4_close<br /> frees all lock states on its st_locks list without cleaning up the copy<br /> state on the sc_cp_list list. When the time the FREE_STATEID arrives the<br /> server returns BAD_STATEID since the lock state was freed. This causes<br /> the use-after-free error to occur when the laundromat tries to free<br /> the expired cpntf_state.<br /> <br /> This patch adds a call to nfs4_free_cpntf_statelist in<br /> nfsd4_close_open_stateid to clean up the copy state before calling<br /> free_ol_stateid_reaplist to free the lock state&amp;#39;s stid on the reaplist.