{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-50121","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-10-21T19:36:19.953Z","datePublished":"2024-11-05T17:10:50.523Z","dateUpdated":"2025-11-03T20:43:43.437Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:46:30.677Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net\n\nIn the normal case, when we excute `echo 0 > /proc/fs/nfsd/threads`, the\nfunction `nfs4_state_destroy_net` in `nfs4_state_shutdown_net` will\nrelease all resources related to the hashed `nfs4_client`. If the\n`nfsd_client_shrinker` is running concurrently, the `expire_client`\nfunction will first unhash this client and then destroy it. This can\nlead to the following warning. Additionally, numerous use-after-free\nerrors may occur as well.\n\nnfsd_client_shrinker         echo 0 > /proc/fs/nfsd/threads\n\nexpire_client                nfsd_shutdown_net\n  unhash_client                ...\n                               nfs4_state_shutdown_net\n                                 /* won't wait shrinker exit */\n  /*                             cancel_work(&nn->nfsd_shrinker_work)\n   * nfsd_file for this          /* won't destroy unhashed client1 */\n   * client1 still alive         nfs4_state_destroy_net\n   */\n\n                               nfsd_file_cache_shutdown\n                                 /* trigger warning */\n                                 kmem_cache_destroy(nfsd_file_slab)\n                                 kmem_cache_destroy(nfsd_file_mark_slab)\n  /* release nfsd_file and mark */\n  __destroy_client\n\n====================================================================\nBUG nfsd_file (Not tainted): Objects remaining in nfsd_file on\n__kmem_cache_shutdown()\n--------------------------------------------------------------------\nCPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1\n\n dump_stack_lvl+0x53/0x70\n slab_err+0xb0/0xf0\n __kmem_cache_shutdown+0x15c/0x310\n kmem_cache_destroy+0x66/0x160\n nfsd_file_cache_shutdown+0xac/0x210 [nfsd]\n nfsd_destroy_serv+0x251/0x2a0 [nfsd]\n nfsd_svc+0x125/0x1e0 [nfsd]\n write_threads+0x16a/0x2a0 [nfsd]\n nfsctl_transaction_write+0x74/0xa0 [nfsd]\n vfs_write+0x1a5/0x6d0\n ksys_write+0xc1/0x160\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n====================================================================\nBUG nfsd_file_mark (Tainted: G    B   W         ): Objects remaining\nnfsd_file_mark on __kmem_cache_shutdown()\n--------------------------------------------------------------------\n\n dump_stack_lvl+0x53/0x70\n slab_err+0xb0/0xf0\n __kmem_cache_shutdown+0x15c/0x310\n kmem_cache_destroy+0x66/0x160\n nfsd_file_cache_shutdown+0xc8/0x210 [nfsd]\n nfsd_destroy_serv+0x251/0x2a0 [nfsd]\n nfsd_svc+0x125/0x1e0 [nfsd]\n write_threads+0x16a/0x2a0 [nfsd]\n nfsctl_transaction_write+0x74/0xa0 [nfsd]\n vfs_write+0x1a5/0x6d0\n ksys_write+0xc1/0x160\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nTo resolve this issue, cancel `nfsd_shrinker_work` using synchronous\nmode in nfs4_state_shutdown_net."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/nfsd/nfs4state.c"],"versions":[{"version":"2bbf10861d51dae76c6da7113516d0071c782653","lessThan":"f67138dd338cb564ade7d3755c8cd4f68b46d397","status":"affected","versionType":"git"},{"version":"958294a3eb82026fcfff20b0287a90e9c854785e","lessThan":"5ade4382de16c34d9259cb548f36ec5c4555913c","status":"affected","versionType":"git"},{"version":"f3ea5ec83d1a827f074b2b660749817e0bf2b23e","lessThan":"36775f42e039b01d4abe8998bf66771a37d3cdcc","status":"affected","versionType":"git"},{"version":"7c24fa225081f31bc6da6a355c1ba801889ab29a","lessThan":"f965dc0f099a54fca100acf6909abe52d0c85328","status":"affected","versionType":"git"},{"version":"7c24fa225081f31bc6da6a355c1ba801889ab29a","lessThan":"add1df5eba163a3a6ece11cb85890e2e410baaea","status":"affected","versionType":"git"},{"version":"7c24fa225081f31bc6da6a355c1ba801889ab29a","lessThan":"d5ff2fb2e7167e9483846e34148e60c0c016a1f6","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/nfsd/nfs4state.c"],"versions":[{"version":"6.2","status":"affected"},{"version":"0","lessThan":"6.2","status":"unaffected","versionType":"semver"},{"version":"5.10.233","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.176","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.123","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.59","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.11.6","lessThanOrEqual":"6.11.*","status":"unaffected","versionType":"semver"},{"version":"6.12","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.220","versionEndExcluding":"5.10.233"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.154","versionEndExcluding":"5.15.176"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.81","versionEndExcluding":"6.1.123"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.59"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.11.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.12"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/f67138dd338cb564ade7d3755c8cd4f68b46d397"},{"url":"https://git.kernel.org/stable/c/5ade4382de16c34d9259cb548f36ec5c4555913c"},{"url":"https://git.kernel.org/stable/c/36775f42e039b01d4abe8998bf66771a37d3cdcc"},{"url":"https://git.kernel.org/stable/c/f965dc0f099a54fca100acf6909abe52d0c85328"},{"url":"https://git.kernel.org/stable/c/add1df5eba163a3a6ece11cb85890e2e410baaea"},{"url":"https://git.kernel.org/stable/c/d5ff2fb2e7167e9483846e34148e60c0c016a1f6"}],"title":"nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2024-50121","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2024-12-11T14:48:54.353206Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","cweId":"CWE-416","description":"CWE-416 Use After Free"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-12-11T14:58:33.921Z"}},{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T20:43:43.437Z"}}]}}