CVE-2024-46682

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: prevent panic for nfsv4.0 closed files in nfs4_show_open<br /> <br /> Prior to commit 3f29cc82a84c ("nfsd: split sc_status out of<br /> sc_type") states_show() relied on sc_type field to be of valid<br /> type before calling into a subfunction to show content of a<br /> particular stateid. From that commit, we split the validity of<br /> the stateid into sc_status and no longer changed sc_type to 0<br /> while unhashing the stateid. This resulted in kernel oopsing<br /> for nfsv4.0 opens that stay around and in nfs4_show_open()<br /> would derefence sc_file which was NULL.<br /> <br /> Instead, for closed open stateids forgo displaying information<br /> that relies of having a valid sc_file.<br /> <br /> To reproduce: mount the server with 4.0, read and close<br /> a file and then on the server cat /proc/fs/nfsd/clients/2/states<br /> <br /> [ 513.590804] Call trace:<br /> [ 513.590925] _raw_spin_lock+0xcc/0x160<br /> [ 513.591119] nfs4_show_open+0x78/0x2c0 [nfsd]<br /> [ 513.591412] states_show+0x44c/0x488 [nfsd]<br /> [ 513.591681] seq_read_iter+0x5d8/0x760<br /> [ 513.591896] seq_read+0x188/0x208<br /> [ 513.592075] vfs_read+0x148/0x470<br /> [ 513.592241] ksys_read+0xcc/0x178