CVE-2024-46682

In the Linux kernel, the following vulnerability has been resolved:

nfsd: prevent panic for nfsv4.0 closed files in nfs4showopen

Prior to commit 3f29cc82a84c ("nfsd: split scstatus out of sctype") statesshow() relied on sctype field to be of valid type before calling into a subfunction to show content of a particular stateid. From that commit, we split the validity of the stateid into scstatus and no longer changed sctype to 0 while unhashing the stateid. This resulted in kernel oopsing for nfsv4.0 opens that stay around and in nfs4showopen() would derefence sc_file which was NULL.

Instead, for closed open stateids forgo displaying information that relies of having a valid sc_file.

To reproduce: mount the server with 4.0, read and close a file and then on the server cat /proc/fs/nfsd/clients/2/states

[ 513.590804] Call trace: [ 513.590925] rawspinlock+0xcc/0x160 [ 513.591119] nfs4showopen+0x78/0x2c0 [nfsd] [ 513.591412] statesshow+0x44c/0x488 [nfsd] [ 513.591681] seqreaditer+0x5d8/0x760 [ 513.591896] seqread+0x188/0x208 [ 513.592075] vfsread+0x148/0x470 [ 513.592241] ksys_read+0xcc/0x178