{"id":"CVE-2024-50121","summary":"nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net\n\nIn the normal case, when we excute `echo 0 \u003e /proc/fs/nfsd/threads`, the\nfunction `nfs4_state_destroy_net` in `nfs4_state_shutdown_net` will\nrelease all resources related to the hashed `nfs4_client`. If the\n`nfsd_client_shrinker` is running concurrently, the `expire_client`\nfunction will first unhash this client and then destroy it. This can\nlead to the following warning. Additionally, numerous use-after-free\nerrors may occur as well.\n\nnfsd_client_shrinker         echo 0 \u003e /proc/fs/nfsd/threads\n\nexpire_client                nfsd_shutdown_net\n  unhash_client                ...\n                               nfs4_state_shutdown_net\n                                 /* won't wait shrinker exit */\n  /*                             cancel_work(&nn-\u003enfsd_shrinker_work)\n   * nfsd_file for this          /* won't destroy unhashed client1 */\n   * client1 still alive         nfs4_state_destroy_net\n   */\n\n                               nfsd_file_cache_shutdown\n                                 /* trigger warning */\n                                 kmem_cache_destroy(nfsd_file_slab)\n                                 kmem_cache_destroy(nfsd_file_mark_slab)\n  /* release nfsd_file and mark */\n  __destroy_client\n\n====================================================================\nBUG nfsd_file (Not tainted): Objects remaining in nfsd_file on\n__kmem_cache_shutdown()\n--------------------------------------------------------------------\nCPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1\n\n dump_stack_lvl+0x53/0x70\n slab_err+0xb0/0xf0\n __kmem_cache_shutdown+0x15c/0x310\n kmem_cache_destroy+0x66/0x160\n nfsd_file_cache_shutdown+0xac/0x210 [nfsd]\n nfsd_destroy_serv+0x251/0x2a0 [nfsd]\n nfsd_svc+0x125/0x1e0 [nfsd]\n write_threads+0x16a/0x2a0 [nfsd]\n nfsctl_transaction_write+0x74/0xa0 [nfsd]\n vfs_write+0x1a5/0x6d0\n ksys_write+0xc1/0x160\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n====================================================================\nBUG nfsd_file_mark (Tainted: G    B   W         ): Objects remaining\nnfsd_file_mark on __kmem_cache_shutdown()\n--------------------------------------------------------------------\n\n dump_stack_lvl+0x53/0x70\n slab_err+0xb0/0xf0\n __kmem_cache_shutdown+0x15c/0x310\n kmem_cache_destroy+0x66/0x160\n nfsd_file_cache_shutdown+0xc8/0x210 [nfsd]\n nfsd_destroy_serv+0x251/0x2a0 [nfsd]\n nfsd_svc+0x125/0x1e0 [nfsd]\n write_threads+0x16a/0x2a0 [nfsd]\n nfsctl_transaction_write+0x74/0xa0 [nfsd]\n vfs_write+0x1a5/0x6d0\n ksys_write+0xc1/0x160\n do_syscall_64+0x5f/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nTo resolve this issue, cancel `nfsd_shrinker_work` using synchronous\nmode in nfs4_state_shutdown_net.","modified":"2026-05-18T05:57:18.789842820Z","published":"2024-11-05T17:10:50.523Z","related":["SUSE-SU-2024:4314-1","SUSE-SU-2024:4316-1","SUSE-SU-2024:4318-1","SUSE-SU-2024:4387-1","SUSE-SU-2025:20163-1","SUSE-SU-2025:20164-1","SUSE-SU-2025:20246-1","SUSE-SU-2025:20247-1","USN-7276-1","USN-7277-1","openSUSE-SU-2024:14500-1","openSUSE-SU-2025:14705-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50121.json"},"references":[{"type":"WEB","url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html"},{"type":"WEB","url":"https://git.kernel.org/stable/c/36775f42e039b01d4abe8998bf66771a37d3cdcc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5ade4382de16c34d9259cb548f36ec5c4555913c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/add1df5eba163a3a6ece11cb85890e2e410baaea"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d5ff2fb2e7167e9483846e34148e60c0c016a1f6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f67138dd338cb564ade7d3755c8cd4f68b46d397"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f965dc0f099a54fca100acf6909abe52d0c85328"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50121.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50121"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"2bbf10861d51dae76c6da7113516d0071c782653"},{"fixed":"f67138dd338cb564ade7d3755c8cd4f68b46d397"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"958294a3eb82026fcfff20b0287a90e9c854785e"},{"fixed":"5ade4382de16c34d9259cb548f36ec5c4555913c"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f3ea5ec83d1a827f074b2b660749817e0bf2b23e"},{"fixed":"36775f42e039b01d4abe8998bf66771a37d3cdcc"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"7c24fa225081f31bc6da6a355c1ba801889ab29a"},{"fixed":"f965dc0f099a54fca100acf6909abe52d0c85328"},{"fixed":"add1df5eba163a3a6ece11cb85890e2e410baaea"},{"fixed":"d5ff2fb2e7167e9483846e34148e60c0c016a1f6"}]}],"versions":["v5.10.232","v5.10.231","v5.10.230","v5.10.229","v5.10.228","v5.10.227","v5.10.226","v5.10.225","v5.10.224","v5.10.223","v5.10.222","v5.10.221","v5.10.220","v5.15.175","v5.15.174","v5.15.173","v5.15.172","v5.15.171","v5.15.170","v5.15.169","v5.15.168","v5.15.167","v5.15.166","v5.15.165","v5.15.164","v5.15.163","v5.15.162","v5.15.161","v5.15.160","v5.15.159","v5.15.158","v5.15.157","v5.15.156","v5.15.155","v5.15.154","v6.1.122","v6.1.121","v6.1.120","v6.1.119","v6.1.118","v6.1.117","v6.1.116","v6.1.115","v6.1.114","v6.1.113","v6.1.112","v6.1.111","v6.1.110","v6.1.109","v6.1.108","v6.1.107","v6.1.106","v6.1.105","v6.1.104","v6.1.103","v6.1.102","v6.1.101","v6.1.100","v6.1.99","v6.1.98","v6.1.97","v6.1.96","v6.1.95","v6.1.94","v6.1.93","v6.1.92","v6.1.91","v6.1.90","v6.1.89","v6.1.88","v6.1.87","v6.1.86","v6.1.85","v6.1.84","v6.1.83","v6.1.82","v6.1.81"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50121.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.233"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.176"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.123"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.59"},{"fixed":"6.11.6"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50121.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}