IM
IronMonkey Threat Research

CVE-2026-22980 HIGH

Published: 2026-01-23 | Last Modified: 2026-07-14 | Status: Modified

Description

In the Linux kernel, the following vulnerability has been resolved: nfsd: provide locking for v4_end_grace Writing to v4_end_grace can race with server shutdown and result in memory being accessed after it was freed - reclaim_str_hashtbl in particularly. We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is held while client_tracking_op->init() is called and that can wait for an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a deadlock. nfsd4_end_grace() is also called by the landromat work queue and this doesn't require locking as server shutdown will stop the work and wait for it before freeing anything that nfsd4_end_grace() might access. However, we must be sure that writing to v4_end_grace doesn't restart the work item after shutdown has already waited for it. For this we add a new flag protected with nn->client_lock. It is set only while it is safe to make client tracking calls, and v4_end_grace only schedules work while the flag is set with the spinlock held. So this patch adds a nfsd_net field "client_tracking_active" which is set as described. Another field "grace_end_forced", is set when v4_end_grace is written. After this is set, and providing client_tracking_active is set, the laundromat is scheduled. This "grace_end_forced" field bypasses other checks for whether the grace period has finished. This resolves a race which can result in use-after-free.

Additional Descriptions (1)

En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: nfsd: proporcionar bloqueo para v4_end_grace Escribir en v4_end_grace puede competir con el apagado del servidor y resultar en que la memoria sea accedida después de haber sido liberada - reclaim_str_hashtbl en particular. No podemos mantener nfsd_mutex durante la llamada a nfsd4_end_grace() ya que se mantiene mientras se llama a client_tracking_op->init() y eso puede esperar una llamada ascendente a nfsdcltrack que puede escribir en v4_end_grace, resultando en un interbloqueo. nfsd4_end_grace() también es llamada por la cola de trabajo 'landromat' y esto no requiere bloqueo ya que el apagado del servidor detendrá el trabajo y esperará por él antes de liberar cualquier cosa a la que nfsd4_end_grace() pudiera acceder. Sin embargo, debemos asegurarnos de que escribir en v4_end_grace no reinicie el elemento de trabajo después de que el apagado ya lo haya esperado. Para esto añadimos una nueva bandera protegida con nn->client_lock. Se establece solo mientras es seguro realizar llamadas de seguimiento de cliente, y v4_end_grace solo programa trabajo mientras la bandera está establecida con el spinlock mantenido. Así, este parche añade un campo nfsd_net 'client_tracking_active' que se establece como se describe. Otro campo 'grace_end_forced', se establece cuando se escribe en v4_end_grace. Después de que esto se establece, y siempre que client_tracking_active esté establecido, el 'laundromat' es programado. Este campo 'grace_end_forced' omite otras comprobaciones para determinar si el período de gracia ha terminado. Esto resuelve una condición de carrera que puede resultar en uso después de liberación.

CVSS Metrics

Base Score: 7.8 (HIGH)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorLOCAL
Attack ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactHIGH
Integrity ImpactHIGH
Availability ImpactHIGH

Source: [email protected]

Type: Primary

Exploitability Score: 1.8

Impact Score: 5.9

Weaknesses

Source Type Description
[email protected] Primary
en CWE-416

Affected Products

Vendor Product Version Update Type
linux linux_kernel * <built-in method update of dict object at 0x702bfc1deb80> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b8344d8c0> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bfc1dea40> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b8344ef00> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bfc3376c0> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bfc335bc0> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702bde2e7240> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702bfc1dee80> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702b8344e300> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702bfc337440> Operating System

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*

References

Notification
Message here