CVE-2021-47506
Published: May 24, 2024
Modified: May 11, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix use-after-free due to delegation race A delegation break could arrive as soon as we've called vfs_setlease. A delegation break runs a callback which immediately (in nfsd4_cb_recall_prepare) adds the delegation to del_recall_lru. If we then exit nfs4_set_delegation without hashing the delegation, it will be freed as soon as the callback is done with it, without ever being removed from del_recall_lru. Symptoms show up later as use-after-free or list corruption warnings, usually in the laundromat thread. I suspect aba2072f4523 "nfsd: grant read delegations to clients holding writes" made this bug easier to hit, but I looked as far back as v3.0 and it looks to me it already had the same problem. So I'm not sure where the bug was introduced; it may have been there from the beginning.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected dff1399f8addf7129c49bb2227469da79cc30b47 - < 04a8d07f3d58308b92630045560799a3faa3ebceaffected dff1399f8addf7129c49bb2227469da79cc30b47 - < 348714018139c39533c55661a0c7c990671396b4affected dff1399f8addf7129c49bb2227469da79cc30b47 - < 33645d3e22720cac1e4548f8fef57bf0649536eeaffected dff1399f8addf7129c49bb2227469da79cc30b47 - < 2becaa990b93cbd2928292c0b669d3abb6cf06d4affected dff1399f8addf7129c49bb2227469da79cc30b47 - < e0759696de6851d7536efddfdd2dfed4c4df1f09+3 more versions |
Linux | Linux | affected 3.17unaffected 0 - < 3.17unaffected 4.4.296 - <= 4.4.*unaffected 4.9.294 - <= 4.9.*unaffected 4.14.259 - <= 4.14.*+5 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now