CVE-2024-26958

7.8 HIGH
Published: May 01, 2024 Modified: May 12, 2026
View on NVD

Description

In the Linux kernel, the following vulnerability has been resolved: nfs: fix UAF in direct writes In production we have been hitting the following warning consistently ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0 Workqueue: nfsiod nfs_direct_write_schedule_work [nfs] RIP: 0010:refcount_warn_saturate+0x9c/0xe0 PKRU: 55555554 Call Trace: <TASK> ? __warn+0x9f/0x130 ? refcount_warn_saturate+0x9c/0xe0 ? report_bug+0xcc/0x150 ? handle_bug+0x3d/0x70 ? exc_invalid_op+0x16/0x40 ? asm_exc_invalid_op+0x16/0x20 ? refcount_warn_saturate+0x9c/0xe0 nfs_direct_write_schedule_work+0x237/0x250 [nfs] process_one_work+0x12f/0x4a0 worker_thread+0x14e/0x3b0 ? ZSTD_getCParams_internal+0x220/0x220 kthread+0xdc/0x120 ? __btf_name_valid+0xa0/0xa0 ret_from_fork+0x1f/0x30 This is because we're completing the nfs_direct_request twice in a row. The source of this is when we have our commit requests to submit, we process them and send them off, and then in the completion path for the commit requests we have if (nfs_commit_end(cinfo.mds)) nfs_direct_write_complete(dreq); However since we're submitting asynchronous requests we sometimes have one that completes before we submit the next one, so we end up calling complete on the nfs_direct_request twice. The only other place we use nfs_generic_commit_list() is in __nfs_commit_inode, which wraps this call in a nfs_commit_begin(); nfs_commit_end(); Which is a common pattern for this style of completion handling, one that is also repeated in the direct code with get_dreq()/put_dreq() calls around where we process events as well as in the completion paths. Fix this by using the same pattern for the commit requests. Before with my 200 node rocksdb stress running this warning would pop every 10ish minutes. With my patch the stress test has been running for several hours without popping.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://git.kernel.org/stable/c/17f46b803d4f23c66cacce81db35fef3adb8f2af
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Patch
https://git.kernel.org/stable/c/1daf52b5ffb24870fbeda20b4967526d8f9e12ab
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Patch
https://git.kernel.org/stable/c/3abc2d160ed8213948b147295d77d44a22c88fa3
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Patch
https://git.kernel.org/stable/c/4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Patch
https://git.kernel.org/stable/c/80d24b308b7ee7037fc90d8ac99f6f78df0a256f
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Patch
https://git.kernel.org/stable/c/cf54f66e1dd78990ec6b32177bca7e6ea2144a95
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Patch
https://git.kernel.org/stable/c/e25447c35f8745337ea8bc0c9697fcac14df8605
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Patch
https://git.kernel.org/stable/c/17f46b803d4f23c66cacce81db35fef3adb8f2af
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
https://git.kernel.org/stable/c/1daf52b5ffb24870fbeda20b4967526d8f9e12ab
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
https://git.kernel.org/stable/c/3abc2d160ed8213948b147295d77d44a22c88fa3
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
https://git.kernel.org/stable/c/4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
https://git.kernel.org/stable/c/80d24b308b7ee7037fc90d8ac99f6f78df0a256f
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
https://git.kernel.org/stable/c/cf54f66e1dd78990ec6b32177bca7e6ea2144a95
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
https://git.kernel.org/stable/c/e25447c35f8745337ea8bc0c9697fcac14df8605
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Third Party Advisory
https://cert-portal.siemens.com/productcert/html/ssa-265688.html
Source: 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e

17 reference(s) from NVD

Quick Stats

CVSS v3 Score
7.8 / 10.0
EPSS (Exploit Probability)
0.2%
15th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

Affected Vendors

linux debian