CVE-2022-50241

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-50241
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50241.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-50241
Downstream
Published
2025-09-15T14:15:34Z
Modified
2025-09-15T19:00:19Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

NFSD: fix use-after-free on source server when doing inter-server copy

Use-after-free occurred when the laundromat tried to free expired cpntfstate entry on the s2scpstateids list after inter-server copy completed. The sccp_list that the expired copy state was inserted on was already freed.

When COPY completes, the Linux client normally sends LOCKU(lockstate x), FREESTATEID(lockstate x) and CLOSE(openstate y) to the source server. The nfs4putstid call from nfsd4freestateid cleans up the copy state from the s2scpstateids list before freeing the lock state's stid.

However, sometimes the CLOSE was sent before the FREESTATEID request. When this happens, the nfsd4closeopenstateid call from nfsd4close frees all lock states on its stlocks list without cleaning up the copy state on the sccplist list. When the time the FREESTATEID arrives the server returns BADSTATEID since the lock state was freed. This causes the use-after-free error to occur when the laundromat tries to free the expired cpntf_state.

This patch adds a call to nfs4freecpntfstatelist in nfsd4closeopenstateid to clean up the copy state before calling freeolstateid_reaplist to free the lock state's stid on the reaplist.

References

Affected packages