CVE-2022-50401

In the Linux kernel, the following vulnerability has been resolved:

nfsd: under NFSv4.1, fix double svcxprtput on rpc_create failure

On error situation clp->cl_cb_conn.cb_xprt should not be given a reference to the xprt otherwise both client cleanup and the error handling path of the caller call to put it. Better to delay handing over the reference to a later branch.

[ 72.530665] refcountt: underflow; use-after-free. [ 72.531933] WARNING: CPU: 0 PID: 173 at lib/refcount.c:28 refcountwarnsaturate+0xcf/0x120 [ 72.533075] Modules linked in: nfsd(OE) nfsv4(OE) nfsv3(OE) nfs(OE) lockd(OE) compatnfsssc(OE) nfsacl(OE) rpcsecgsskrb5(OE) authrpcgss(OE) rpcrdma(OE) dnsresolver fscache netfs grace rdmacm iwcm ibcm sunrpc(OE) mlx5ib mlx5core mlxfw pcihypervintf ibuverbs ibcore xtMASQUERADE nfconntracknetlink nftcounter xtaddrtype nftcompat brnetfilter bridge stp llc nftrejectinet nfrejectipv4 nfrejectipv6 nftreject nftct nftchainnat nfnat nfconntrack nfdefragipv6 nfdefragipv4 ipset overlay nftables nfnetlink crct10difpclmul crc32pclmul ghashclmulniintel xfs serioraw virtionet virtioblk netfailover failover fuse [last unloaded: sunrpc] [ 72.540389] CPU: 0 PID: 173 Comm: kworker/u16:5 Tainted: G OE 5.15.82-dan #1 [ 72.541511] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+1084+97b81f61 04/01/2014 [ 72.542717] Workqueue: nfsd4callbacks nfsd4runcbwork [nfsd] [ 72.543575] RIP: 0010:refcountwarnsaturate+0xcf/0x120 [ 72.544299] Code: 55 00 0f 0b 5d e9 01 50 98 00 80 3d 75 9e 39 08 00 0f 85 74 ff ff ff 48 c7 c7 e8 d1 60 8e c6 05 61 9e 39 08 01 e8 f6 51 55 00 <0f> 0b 5d e9 d9 4f 98 00 80 3d 4b 9e 39 08 00 0f 85 4c ff ff ff 48 [ 72.546666] RSP: 0018:ffffb3f841157cf0 EFLAGS: 00010286 [ 72.547393] RAX: 0000000000000026 RBX: ffff89ac6231d478 RCX: 0000000000000000 [ 72.548324] RDX: ffff89adb7c2c2c0 RSI: ffff89adb7c205c0 RDI: ffff89adb7c205c0 [ 72.549271] RBP: ffffb3f841157cf0 R08: 0000000000000000 R09: c0000000ffefffff [ 72.550209] R10: 0000000000000001 R11: ffffb3f841157ad0 R12: ffff89ac6231d180 [ 72.551142] R13: ffff89ac6231d478 R14: ffff89ac40c06180 R15: ffff89ac6231d4b0 [ 72.552089] FS: 0000000000000000(0000) GS:ffff89adb7c00000(0000) knlGS:0000000000000000 [ 72.553175] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 72.553934] CR2: 0000563a310506a8 CR3: 0000000109a66000 CR4: 0000000000350ef0 [ 72.554874] Call Trace: [ 72.555278] <TASK> [ 72.555614] svcxprtput+0xaf/0xe0 [sunrpc] [ 72.556276] nfsd4processcbupdate.isra.11+0xb7/0x410 [nfsd] [ 72.557087] ? updateloadavg+0x82/0x610 [ 72.557652] ? cpuacctcharge+0x60/0x70 [ 72.558212] ? dequeueentity+0xdb/0x3e0 [ 72.558765] ? queuedspinunlock+0x9/0x20 [ 72.559358] nfsd4runcbwork+0xfc/0x270 [nfsd] [ 72.560031] processonework+0x1df/0x390 [ 72.560600] workerthread+0x37/0x3b0 [ 72.561644] ? processonework+0x390/0x390 [ 72.562247] kthread+0x12f/0x150 [ 72.562710] ? setkthreadstruct+0x50/0x50 [ 72.563309] retfromfork+0x22/0x30 [ 72.563818] </TASK> [ 72.564189] ---[ end trace 031117b1c72ec616 ]--- [ 72.566019] listadd corruption. next->prev should be prev (ffff89ac4977e538), but was ffff89ac4763e018. (next=ffff89ac4763e018). [ 72.567647] ------------[ cut here ]------------