In the Linux kernel, the following vulnerability has been resolved: nfsd: cancel nfsdshrinkerwork using sync mode in nfs4stateshutdownnet In the normal case, when we excute echo 0 > /proc/fs/nfsd/threads
, the function nfs4_state_destroy_net
in nfs4_state_shutdown_net
will release all resources related to the hashed nfs4_client
. If the nfsd_client_shrinker
is running concurrently, the expire_client
function will first unhash this client and then destroy it. This can lead to the following warning. Additionally, numerous use-after-free errors may occur as well. nfsdclientshrinker echo 0 > /proc/fs/nfsd/threads expireclient nfsdshutdownnet unhashclient ... nfs4stateshutdownnet /* won't wait shrinker exit / / cancelwork(&nn->nfsdshrinkerwork) * nfsdfile for this /* won't destroy unhashed client1 / * client1 still alive nfs4_state_destroy_net */ nfsd_file_cache_shutdown / trigger warning / kmem_cache_destroy(nfsd_file_slab) kmem_cache_destroy(nfsd_file_mark_slab) / release nfsdfile and mark */ _destroyclient ==================================================================== BUG nfsdfile (Not tainted): Objects remaining in nfsdfile on _kmemcacheshutdown() -------------------------------------------------------------------- CPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1 dumpstacklvl+0x53/0x70 slaberr+0xb0/0xf0 _kmemcacheshutdown+0x15c/0x310 kmemcachedestroy+0x66/0x160 nfsdfilecacheshutdown+0xac/0x210 [nfsd] nfsddestroyserv+0x251/0x2a0 [nfsd] nfsdsvc+0x125/0x1e0 [nfsd] writethreads+0x16a/0x2a0 [nfsd] nfsctltransactionwrite+0x74/0xa0 [nfsd] vfswrite+0x1a5/0x6d0 ksyswrite+0xc1/0x160 dosyscall64+0x5f/0x170 entrySYSCALL64afterhwframe+0x76/0x7e ==================================================================== BUG nfsdfilemark (Tainted: G B W ): Objects remaining nfsdfilemark on _kmemcacheshutdown() -------------------------------------------------------------------- dumpstacklvl+0x53/0x70 slaberr+0xb0/0xf0 _kmemcacheshutdown+0x15c/0x310 kmemcachedestroy+0x66/0x160 nfsdfilecacheshutdown+0xc8/0x210 [nfsd] nfsddestroyserv+0x251/0x2a0 [nfsd] nfsdsvc+0x125/0x1e0 [nfsd] writethreads+0x16a/0x2a0 [nfsd] nfsctltransactionwrite+0x74/0xa0 [nfsd] vfswrite+0x1a5/0x6d0 ksyswrite+0xc1/0x160 dosyscall64+0x5f/0x170 entrySYSCALL64afterhwframe+0x76/0x7e To resolve this issue, cancel nfsd_shrinker_work
using synchronous mode in nfs4stateshutdownnet.