{ "containers": { "cna": { "providerMetadata": { "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix use-after-free due to delegation race\n\nA delegation break could arrive as soon as we've called vfs_setlease. A\ndelegation break runs a callback which immediately (in\nnfsd4_cb_recall_prepare) adds the delegation to del_recall_lru. If we\nthen exit nfs4_set_delegation without hashing the delegation, it will be\nfreed as soon as the callback is done with it, without ever being\nremoved from del_recall_lru.\n\nSymptoms show up later as use-after-free or list corruption warnings,\nusually in the laundromat thread.\n\nI suspect aba2072f4523 \"nfsd: grant read delegations to clients holding\nwrites\" made this bug easier to hit, but I looked as far back as v3.0\nand it looks to me it already had the same problem. So I'm not sure\nwhere the bug was introduced; it may have been there from the beginning." } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "fs/nfsd/nfs4state.c" ], "versions": [ { "version": "1da177e4c3f4", "lessThan": "04a8d07f3d58", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "348714018139", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "33645d3e2272", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "2becaa990b93", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "e0759696de68", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "eeb0711801f5", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "148c816f10fd", "status": "affected", "versionType": "git" }, { "version": "1da177e4c3f4", "lessThan": "548ec0805c39", "status": "affected", "versionType": "git" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "fs/nfsd/nfs4state.c" ], "versions": [ { "version": "4.4.296", "lessThanOrEqual": "4.4.*", "status": "unaffected", "versionType": "custom" }, { "version": "4.9.294", "lessThanOrEqual": "4.9.*", "status": "unaffected", "versionType": "custom" }, { "version": "4.14.259", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "custom" }, { "version": "4.19.222", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.4.168", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.10.85", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.15.8", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.16", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/04a8d07f3d58308b92630045560799a3faa3ebce" }, { "url": "https://git.kernel.org/stable/c/348714018139c39533c55661a0c7c990671396b4" }, { "url": "https://git.kernel.org/stable/c/33645d3e22720cac1e4548f8fef57bf0649536ee" }, { "url": "https://git.kernel.org/stable/c/2becaa990b93cbd2928292c0b669d3abb6cf06d4" }, { "url": "https://git.kernel.org/stable/c/e0759696de6851d7536efddfdd2dfed4c4df1f09" }, { "url": "https://git.kernel.org/stable/c/eeb0711801f5e19ef654371b627682aed3b11373" }, { "url": "https://git.kernel.org/stable/c/148c816f10fd11df27ca6a9b3238cdd42fa72cd3" }, { "url": "https://git.kernel.org/stable/c/548ec0805c399c65ed66c6641be467f717833ab5" } ], "title": "nfsd: fix use-after-free due to delegation race", "x_generator": { "engine": "bippy-a5840b7849dd" } } }, "cveMetadata": { "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", "cveID": "CVE-2021-47506", "requesterUserId": "gregkh@kernel.org", "serial": "1", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.0" }