{
  "threat_severity" : "Moderate",
  "public_date" : "2025-01-08T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: nfsd: fix nfs4_openowner leak when concurrent nfsd4_open occur",
    "id" : "2336550",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2336550"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-401",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnfsd: fix nfs4_openowner leak when concurrent nfsd4_open occur\nThe action force umount(umount -f) will attempt to kill all rpc_task even\numount operation may ultimately fail if some files remain open.\nConsequently, if an action attempts to open a file, it can potentially\nsend two rpc_task to nfs server.\nNFS CLIENT\nthread1                             thread2\nopen(\"file\")\n...\nnfs4_do_open\n_nfs4_do_open\n_nfs4_open_and_get_state\n_nfs4_proc_open\nnfs4_run_open_task\n/* rpc_task1 */\nrpc_run_task\nrpc_wait_for_completion_task\numount -f\nnfs_umount_begin\nrpc_killall_tasks\nrpc_signal_task\nrpc_task1 been wakeup\nand return -512\n_nfs4_do_open // while loop\n...\nnfs4_run_open_task\n/* rpc_task2 */\nrpc_run_task\nrpc_wait_for_completion_task\nWhile processing an open request, nfsd will first attempt to find or\nallocate an nfs4_openowner. If it finds an nfs4_openowner that is not\nmarked as NFS4_OO_CONFIRMED, this nfs4_openowner will released. Since\ntwo rpc_task can attempt to open the same file simultaneously from the\nclient to server, and because two instances of nfsd can run\nconcurrently, this situation can lead to lots of memory leak.\nAdditionally, when we echo 0 to /proc/fs/nfsd/threads, warning will be\ntriggered.\nNFS SERVER\nnfsd1                  nfsd2       echo 0 > /proc/fs/nfsd/threads\nnfsd4_open\nnfsd4_process_open1\nfind_or_alloc_open_stateowner\n// alloc oo1, stateid1\nnfsd4_open\nnfsd4_process_open1\nfind_or_alloc_open_stateowner\n// find oo1, without NFS4_OO_CONFIRMED\nrelease_openowner\nunhash_openowner_locked\nlist_del_init(&oo->oo_perclient)\n// cannot find this oo\n// from client, LEAK!!!\nalloc_stateowner // alloc oo2\nnfsd4_process_open2\ninit_open_stateid\n// associate oo1\n// with stateid1, stateid1 LEAK!!!\nnfs4_get_vfs_file\n// alloc nfsd_file1 and nfsd_file_mark1\n// all LEAK!!!\nnfsd4_process_open2\n...\nwrite_threads\n...\nnfsd_destroy_serv\nnfsd_shutdown_net\nnfs4_state_shutdown_net\nnfs4_state_destroy_net\ndestroy_client\n__destroy_client\n// won't find oo1!!!\nnfsd_shutdown_generic\nnfsd_file_cache_shutdown\nkmem_cache_destroy\nfor nfsd_file_slab\nand nfsd_file_mark_slab\n// bark since nfsd_file1\n// and nfsd_file_mark1\n// still alive\n=======================================================================\nBUG nfsd_file (Not tainted): Objects remaining in nfsd_file on\n__kmem_cache_shutdown()\n-----------------------------------------------------------------------\nSlab 0xffd4000004438a80 objects=34 used=1 fp=0xff11000110e2ad28\nflags=0x17ffffc0000240(workingset|head|node=0|zone=2|lastcpupid=0x1fffff)\nCPU: 4 UID: 0 PID: 757 Comm: sh Not tainted 6.12.0-rc6+ #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n1.16.1-2.fc37 04/01/2014\nCall Trace:\n<TASK>\ndum\n---truncated---" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-56779\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-56779\nhttps://lore.kernel.org/linux-cve-announce/2025010812-CVE-2024-56779-74f5@gregkh/T" ],
  "name" : "CVE-2024-56779",
  "csaw" : false
}