CVE-2024-26958— nfs: fix UAF in direct writes
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-26958
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
nfs: fix UAF in direct writes
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: nfs: fix UAF in direct writes In production we have been hitting the following warning consistently ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0 Workqueue: nfsiod nfs_direct_write_schedule_work [nfs] RIP: 0010:refcount_warn_saturate+0x9c/0xe0 PKRU: 55555554 Call Trace: <TASK> ? __warn+0x9f/0x130 ? refcount_warn_saturate+0x9c/0xe0 ? report_bug+0xcc/0x150 ? handle_bug+0x3d/0x70 ? exc_invalid_op+0x16/0x40 ? asm_exc_invalid_op+0x16/0x20 ? refcount_warn_saturate+0x9c/0xe0 nfs_direct_write_schedule_work+0x237/0x250 [nfs] process_one_work+0x12f/0x4a0 worker_thread+0x14e/0x3b0 ? ZSTD_getCParams_internal+0x220/0x220 kthread+0xdc/0x120 ? __btf_name_valid+0xa0/0xa0 ret_from_fork+0x1f/0x30 This is because we're completing the nfs_direct_request twice in a row. The source of this is when we have our commit requests to submit, we process them and send them off, and then in the completion path for the commit requests we have if (nfs_commit_end(cinfo.mds)) nfs_direct_write_complete(dreq); However since we're submitting asynchronous requests we sometimes have one that completes before we submit the next one, so we end up calling complete on the nfs_direct_request twice. The only other place we use nfs_generic_commit_list() is in __nfs_commit_inode, which wraps this call in a nfs_commit_begin(); nfs_commit_end(); Which is a common pattern for this style of completion handling, one that is also repeated in the direct code with get_dreq()/put_dreq() calls around where we process events as well as in the completion paths. Fix this by using the same pattern for the commit requests. Before with my 200 node rocksdb stress running this warning would pop every 10ish minutes. With my patch the stress test has been running for several hours without popping.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于内存释放后重用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-26958
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-26958
请登录查看更多情报信息。
Same Patch Batch · Linux · 2024-05-01 · 159 CVEs total
| CVE-2024-27038 | clk: Fix clk_core_get NULL dereference | |
| CVE-2024-27029 | drm/amdgpu: fix mmhub client id out-of-bounds access | |
| CVE-2024-27030 | octeontx2-af: Use separate handlers for interrupts | |
| CVE-2024-27031 | NFS: Fix nfs_netfs_issue_read() xarray locking for writeback interrupt | |
| CVE-2024-27032 | f2fs: fix to avoid potential panic during recovery | |
| CVE-2024-27033 | f2fs: fix to remove unnecessary f2fs_bug_on() to avoid panic | |
| CVE-2024-27034 | f2fs: compress: fix to cover normal cluster write with cp_rwsem | |
| CVE-2024-27035 | f2fs: compress: fix to guarantee persisting compressed blocks by CP | |
| CVE-2024-27036 | cifs: Fix writeback data corruption | |
| CVE-2024-27037 | clk: zynq: Prevent null pointer dereference caused by kmalloc failure | |
| CVE-2024-27044 | drm/amd/display: Fix potential NULL pointer dereferences in 'dcn10_set_output_transfer_fun | |
| CVE-2024-27048 | wifi: brcm80211: handle pmk_op allocation failure | |
| CVE-2024-27047 | net: phy: fix phy_get_internal_delay accessing an empty array | |
| CVE-2024-27046 | nfp: flower: handle acti_netdevs allocation failure | |
| CVE-2024-27045 | drm/amd/display: Fix a potential buffer overflow in 'dp_dsc_clock_en_read()' | |
| CVE-2024-27041 | drm/amd/display: fix NULL checks for adev->dm.dc in amdgpu_dm_fini() | |
| CVE-2024-27039 | clk: hisilicon: hi3559a: Fix an erroneous devm_kfree() | |
| CVE-2024-27040 | drm/amd/display: Add 'replay' NULL check in 'edp_set_replay_allow_active()' | |
| CVE-2024-27028 | spi: spi-mt65xx: Fix NULL pointer access in interrupt handler | |
| CVE-2024-27043 | media: edia: dvbdev: fix a use-after-free |
Showing top 20 of 159 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
Same vendor: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. Comments for CVE-2024-26958
No comments yet