CVE-2024-50106

In the Linux kernel, the following vulnerability has been resolved:

nfsd: fix race between laundromat and free_stateid

There is a race between laundromat handling of revoked delegations and a client sending freestateid operation. Laundromat thread finds that delegation has expired and needs to be revoked so it marks the delegation stid revoked and it puts it on a reaper list but then it unlock the state lock and the actual delegation revocation happens without the lock. Once the stid is marked revoked a racing freestateid processing thread does the following (1) it calls listdelinit() which removes it from the reaper list and (2) frees the delegation stid structure. The laundromat thread ends up not calling the revoke_delegation() function for this particular delegation but that means it will no release the lock lease that exists on the file.

Now, a new open for this file comes in and ends up finding that lease list isn't empty and calls nfsdbreakerowns_lease() which ends up trying to derefence a freed delegation stateid. Leading to the followint use-after-free KASAN warning:

kernel: ================================================================== kernel: BUG: KASAN: slab-use-after-free in nfsdbreakerownslease+0x140/0x160 [nfsd] kernel: Read of size 8 at addr ffff0000e73cd0c8 by task nfsd/6205 kernel: kernel: CPU: 2 UID: 0 PID: 6205 Comm: nfsd Kdump: loaded Not tainted 6.11.0-rc7+ #9 kernel: Hardware name: Apple Inc. Apple Virtualization Generic Platform, BIOS 2069.0.0.0.0 08/03/2024 kernel: Call trace: kernel: dumpbacktrace+0x98/0x120 kernel: showstack+0x1c/0x30 kernel: dumpstacklvl+0x80/0xe8 kernel: printaddressdescription.constprop.0+0x84/0x390 kernel: printreport+0xa4/0x268 kernel: kasanreport+0xb4/0xf8 kernel: _asanreportload8noabort+0x1c/0x28 kernel: nfsdbreakerownslease+0x140/0x160 [nfsd] kernel: nfsdfiledoacquire+0xb3c/0x11d0 [nfsd] kernel: nfsdfileacquireopened+0x84/0x110 [nfsd] kernel: nfs4getvfsfile+0x634/0x958 [nfsd] kernel: nfsd4processopen2+0xa40/0x1a40 [nfsd] kernel: nfsd4open+0xa08/0xe80 [nfsd] kernel: nfsd4proccompound+0xb8c/0x2130 [nfsd] kernel: nfsddispatch+0x22c/0x718 [nfsd] kernel: svcprocesscommon+0x8e8/0x1960 [sunrpc] kernel: svcprocess+0x3d4/0x7e0 [sunrpc] kernel: svchandlexprt+0x828/0xe10 [sunrpc] kernel: svcrecv+0x2cc/0x6a8 [sunrpc] kernel: nfsd+0x270/0x400 [nfsd] kernel: kthread+0x288/0x310 kernel: retfrom_fork+0x10/0x20

This patch proposes a fixed that's based on adding 2 new additional stid's scstatus values that help coordinate between the laundromat and other operations (nfsd4freestateid() and nfsd4delegreturn()).

First to make sure, that once the stid is marked revoked, it is not removed by the nfsd4freestateid(), the laundromat take a reference on the stateid. Then, coordinating whether the stid has been put on the clrevoked list or we are processing FREESTATEID and need to make sure to remove it from the list, each check that state and act accordingly. If laundromat has added to the clrevoke list before the arrival of FREESTATEID, then nfsd4freestateid() knows to remove it from the list. If nfsd4freestateid() finds that operations arrived before laundromat has placed it on cl_revoke list, it marks the state freed and then laundromat will no longer add it to the list.

Also, for nfsd4delegreturn() when looking for the specified stid, we need to access stid that are marked removed or freeable, it means the laundromat has started processing it but hasn't finished and this delegreturn needs to return nfserrdelegrevoked and not nfserrbadstateid. The latter will not trigger a FREESTATEID and the lack of it will leave this stid on the cl_revoked list indefinitely.