{
  "threat_severity" : "Moderate",
  "public_date" : "2024-12-27T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: nfsd: release svc_expkey/svc_export with rcu_work",
    "id" : "2334415",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2334415"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnfsd: release svc_expkey/svc_export with rcu_work\nThe last reference for `cache_head` can be reduced to zero in `c_show`\nand `e_show`(using `rcu_read_lock` and `rcu_read_unlock`). Consequently,\n`svc_export_put` and `expkey_put` will be invoked, leading to two\nissues:\n1. The `svc_export_put` will directly free ex_uuid. However,\n`e_show`/`c_show` will access `ex_uuid` after `cache_put`, which can\ntrigger a use-after-free issue, shown below.\n==================================================================\nBUG: KASAN: slab-use-after-free in svc_export_show+0x362/0x430 [nfsd]\nRead of size 1 at addr ff11000010fdc120 by task cat/870\nCPU: 1 UID: 0 PID: 870 Comm: cat Not tainted 6.12.0-rc3+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.1-2.fc37 04/01/2014\nCall Trace:\n<TASK>\ndump_stack_lvl+0x53/0x70\nprint_address_description.constprop.0+0x2c/0x3a0\nprint_report+0xb9/0x280\nkasan_report+0xae/0xe0\nsvc_export_show+0x362/0x430 [nfsd]\nc_show+0x161/0x390 [sunrpc]\nseq_read_iter+0x589/0x770\nseq_read+0x1e5/0x270\nproc_reg_read+0xe1/0x140\nvfs_read+0x125/0x530\nksys_read+0xc1/0x160\ndo_syscall_64+0x5f/0x170\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nAllocated by task 830:\nkasan_save_stack+0x20/0x40\nkasan_save_track+0x14/0x30\n__kasan_kmalloc+0x8f/0xa0\n__kmalloc_node_track_caller_noprof+0x1bc/0x400\nkmemdup_noprof+0x22/0x50\nsvc_export_parse+0x8a9/0xb80 [nfsd]\ncache_do_downcall+0x71/0xa0 [sunrpc]\ncache_write_procfs+0x8e/0xd0 [sunrpc]\nproc_reg_write+0xe1/0x140\nvfs_write+0x1a5/0x6d0\nksys_write+0xc1/0x160\ndo_syscall_64+0x5f/0x170\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nFreed by task 868:\nkasan_save_stack+0x20/0x40\nkasan_save_track+0x14/0x30\nkasan_save_free_info+0x3b/0x60\n__kasan_slab_free+0x37/0x50\nkfree+0xf3/0x3e0\nsvc_export_put+0x87/0xb0 [nfsd]\ncache_purge+0x17f/0x1f0 [sunrpc]\nnfsd_destroy_serv+0x226/0x2d0 [nfsd]\nnfsd_svc+0x125/0x1e0 [nfsd]\nwrite_threads+0x16a/0x2a0 [nfsd]\nnfsctl_transaction_write+0x74/0xa0 [nfsd]\nvfs_write+0x1a5/0x6d0\nksys_write+0xc1/0x160\ndo_syscall_64+0x5f/0x170\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n2. We cannot sleep while using `rcu_read_lock`/`rcu_read_unlock`.\nHowever, `svc_export_put`/`expkey_put` will call path_put, which\nsubsequently triggers a sleeping operation due to the following\n`dput`.\n=============================\nWARNING: suspicious RCU usage\n5.10.0-dirty #141 Not tainted\n-----------------------------\n...\nCall Trace:\ndump_stack+0x9a/0xd0\n___might_sleep+0x231/0x240\ndput+0x39/0x600\npath_put+0x1b/0x30\nsvc_export_put+0x17/0x80\ne_show+0x1c9/0x200\nseq_read_iter+0x63f/0x7c0\nseq_read+0x226/0x2d0\nvfs_read+0x113/0x2c0\nksys_read+0xc9/0x170\ndo_syscall_64+0x33/0x40\nentry_SYSCALL_64_after_hwframe+0x67/0xd1\nFix these issues by using `rcu_work` to help release\n`svc_expkey`/`svc_export`. This approach allows for an asynchronous\ncontext to invoke `path_put` and also facilitates the freeing of\n`uuid/exp/key` after an RCU grace period." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20095",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.8.1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-53216\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-53216\nhttps://lore.kernel.org/linux-cve-announce/2024122732-CVE-2024-53216-ba8b@gregkh/T" ],
  "name" : "CVE-2024-53216",
  "csaw" : false
}