CVE-2024-36939

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfs: Handle error of rpc_proc_register() in nfs_net_init().<br /> <br /> syzkaller reported a warning [0] triggered while destroying immature<br /> netns.<br /> <br /> rpc_proc_register() was called in init_nfs_fs(), but its error<br /> has been ignored since at least the initial commit 1da177e4c3f4<br /> ("Linux-2.6.12-rc2").<br /> <br /> Recently, commit d47151b79e32 ("nfs: expose /proc/net/sunrpc/nfs<br /> in net namespaces") converted the procfs to per-netns and made<br /> the problem more visible.<br /> <br /> Even when rpc_proc_register() fails, nfs_net_init() could succeed,<br /> and thus nfs_net_exit() will be called while destroying the netns.<br /> <br /> Then, remove_proc_entry() will be called for non-existing proc<br /> directory and trigger the warning below.<br /> <br /> Let&amp;#39;s handle the error of rpc_proc_register() properly in nfs_net_init().<br /> <br /> [0]:<br /> name &amp;#39;nfs&amp;#39;<br /> WARNING: CPU: 1 PID: 1710 at fs/proc/generic.c:711 remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711<br /> Modules linked in:<br /> CPU: 1 PID: 1710 Comm: syz-executor.2 Not tainted 6.8.0-12822-gcd51db110a7e #12<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014<br /> RIP: 0010:remove_proc_entry+0x1bb/0x2d0 fs/proc/generic.c:711<br /> Code: 41 5d 41 5e c3 e8 85 09 b5 ff 48 c7 c7 88 58 64 86 e8 09 0e 71 02 e8 74 09 b5 ff 4c 89 e6 48 c7 c7 de 1b 80 84 e8 c5 ad 97 ff 0b eb b1 e8 5c 09 b5 ff 48 c7 c7 88 58 64 86 e8 e0 0d 71 02 eb<br /> RSP: 0018:ffffc9000c6d7ce0 EFLAGS: 00010286<br /> RAX: 0000000000000000 RBX: ffff8880422b8b00 RCX: ffffffff8110503c<br /> RDX: ffff888030652f00 RSI: ffffffff81105045 RDI: 0000000000000001<br /> RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000<br /> R10: 0000000000000001 R11: ffffffff81bb62cb R12: ffffffff84807ffc<br /> R13: ffff88804ad6fcc0 R14: ffffffff84807ffc R15: ffffffff85741ff8<br /> FS: 00007f30cfba8640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007ff51afe8000 CR3: 000000005a60a005 CR4: 0000000000770ef0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> rpc_proc_unregister+0x64/0x70 net/sunrpc/stats.c:310<br /> nfs_net_exit+0x1c/0x30 fs/nfs/inode.c:2438<br /> ops_exit_list+0x62/0xb0 net/core/net_namespace.c:170<br /> setup_net+0x46c/0x660 net/core/net_namespace.c:372<br /> copy_net_ns+0x244/0x590 net/core/net_namespace.c:505<br /> create_new_namespaces+0x2ed/0x770 kernel/nsproxy.c:110<br /> unshare_nsproxy_namespaces+0xae/0x160 kernel/nsproxy.c:228<br /> ksys_unshare+0x342/0x760 kernel/fork.c:3322<br /> __do_sys_unshare kernel/fork.c:3393 [inline]<br /> __se_sys_unshare kernel/fork.c:3391 [inline]<br /> __x64_sys_unshare+0x1f/0x30 kernel/fork.c:3391<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0x4f/0x110 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x46/0x4e<br /> RIP: 0033:0x7f30d0febe5d<br /> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48<br /> RSP: 002b:00007f30cfba7cc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000110<br /> RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f30d0febe5d<br /> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000006c020600<br /> RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002<br /> R13: 000000000000000b R14: 00007f30d104c530 R15: 0000000000000000<br />