CVE-2024-53216
Description
In the Linux kernel, the following vulnerability has been resolved: nfsd: release svc_expkey/svc_export with rcu_work The last reference for `cache_head` can be reduced to zero in `c_show` and `e_show`(using `rcu_read_lock` and `rcu_read_unlock`). Consequently, `svc_export_put` and `expkey_put` will be invoked, leading to two issues: 1. The `svc_export_put` will directly free ex_uuid. However, `e_show`/`c_show` will access `ex_uuid` after `cache_put`, which can trigger a use-after-free issue, shown below. ================================================================== BUG: KASAN: slab-use-after-free in svc_export_show+0x362/0x430 [nfsd] Read of size 1 at addr ff11000010fdc120 by task cat/870 CPU: 1 UID: 0 PID: 870 Comm: cat Not tainted 6.12.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_address_description.constprop.0+0x2c/0x3a0 print_report+0xb9/0x280 kasan_report+0xae/0xe0 svc_export_show+0x362/0x430 [nfsd] c_show+0x161/0x390 [sunrpc] seq_read_iter+0x589/0x770 seq_read+0x1e5/0x270 proc_reg_read+0xe1/0x140 vfs_read+0x125/0x530 ksys_read+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 830: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc_node_track_caller_noprof+0x1bc/0x400 kmemdup_noprof+0x22/0x50 svc_export_parse+0x8a9/0xb80 [nfsd] cache_do_downcall+0x71/0xa0 [sunrpc] cache_write_procfs+0x8e/0xd0 [sunrpc] proc_reg_write+0xe1/0x140 vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 868: kasan_save_stack+0x20/0x40 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kfree+0xf3/0x3e0 svc_export_put+0x87/0xb0 [nfsd] cache_purge+0x17f/0x1f0 [sunrpc] nfsd_destroy_serv+0x226/0x2d0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e 2. We cannot sleep while using `rcu_read_lock`/`rcu_read_unlock`. However, `svc_export_put`/`expkey_put` will call path_put, which subsequently triggers a sleeping operation due to the following `dput`. ============================= WARNING: suspicious RCU usage 5.10.0-dirty #141 Not tainted ----------------------------- ... Call Trace: dump_stack+0x9a/0xd0 ___might_sleep+0x231/0x240 dput+0x39/0x600 path_put+0x1b/0x30 svc_export_put+0x17/0x80 e_show+0x1c9/0x200 seq_read_iter+0x63f/0x7c0 seq_read+0x226/0x2d0 vfs_read+0x113/0x2c0 ksys_read+0xc9/0x170 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Fix these issues by using `rcu_work` to help release `svc_expkey`/`svc_export`. This approach allows for an asynchronous context to invoke `path_put` and also facilitates the freeing of `uuid/exp/key` after an RCU grace period.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: alma — https://errata.almalinux.org/9/ALSA-2025-20518.html
Vendor advisory: alma — https://bugzilla.redhat.com/2383441
Vendor advisory: alma — https://bugzilla.redhat.com/2376076
Vendor advisory: alma — https://bugzilla.redhat.com/2369184
Vendor advisory: alma — https://bugzilla.redhat.com/2363380
Vendor advisory: alma — https://bugzilla.redhat.com/2360215
Vendor advisory: alma — https://bugzilla.redhat.com/2351633
Vendor advisory: alma — https://bugzilla.redhat.com/2351629
Vendor advisory: alma — https://bugzilla.redhat.com/2351625
Vendor advisory: alma — https://bugzilla.redhat.com/2351624
Vendor advisory: alma — https://bugzilla.redhat.com/2351620
Vendor advisory: alma — https://bugzilla.redhat.com/2351618
Vendor advisory: alma — https://bugzilla.redhat.com/2351616
Vendor advisory: alma — https://bugzilla.redhat.com/2351613
Vendor advisory: alma — https://bugzilla.redhat.com/2351612
Vendor advisory: alma — https://bugzilla.redhat.com/2351608
Vendor advisory: alma — https://bugzilla.redhat.com/2351606
Vendor advisory: alma — https://bugzilla.redhat.com/2350726
Vendor advisory: alma — https://bugzilla.redhat.com/2350725
Vendor advisory: alma — https://bugzilla.redhat.com/2350589
Vendor advisory: alma — https://bugzilla.redhat.com/2350585
Vendor advisory: alma — https://bugzilla.redhat.com/2350400
Vendor advisory: alma — https://bugzilla.redhat.com/2350397
Vendor advisory: alma — https://bugzilla.redhat.com/2350396
Vendor advisory: alma — https://bugzilla.redhat.com/2350392
Vendor advisory: alma — https://bugzilla.redhat.com/2350388
Vendor advisory: alma — https://bugzilla.redhat.com/2350386
Vendor advisory: alma — https://bugzilla.redhat.com/2350375
Vendor advisory: alma — https://bugzilla.redhat.com/2350374
Vendor advisory: alma — https://bugzilla.redhat.com/2350367
Vendor advisory: alma — https://bugzilla.redhat.com/2350363
Vendor advisory: alma — https://bugzilla.redhat.com/2348901
Vendor advisory: alma — https://bugzilla.redhat.com/2348654
Vendor advisory: alma — https://bugzilla.redhat.com/2348650
Vendor advisory: alma — https://bugzilla.redhat.com/2348645
Vendor advisory: alma — https://bugzilla.redhat.com/2348634
Vendor advisory: alma — https://bugzilla.redhat.com/2348625
Vendor advisory: alma — https://bugzilla.redhat.com/2348620
Vendor advisory: alma — https://bugzilla.redhat.com/2348615
Vendor advisory: alma — https://bugzilla.redhat.com/2348601
Vendor advisory: alma — https://bugzilla.redhat.com/2348600
Vendor advisory: alma — https://bugzilla.redhat.com/2348597
Vendor advisory: alma — https://bugzilla.redhat.com/2348595
Vendor advisory: alma — https://bugzilla.redhat.com/2348587
Vendor advisory: alma — https://bugzilla.redhat.com/2348585
Vendor advisory: alma — https://bugzilla.redhat.com/2348584
Vendor advisory: alma — https://bugzilla.redhat.com/2348581
Vendor advisory: alma — https://bugzilla.redhat.com/2348578
Vendor advisory: alma — https://bugzilla.redhat.com/2348577
Vendor advisory: alma — https://bugzilla.redhat.com/2348574
Vendor advisory: alma — https://bugzilla.redhat.com/2348573
Vendor advisory: alma — https://bugzilla.redhat.com/2348566
Vendor advisory: alma — https://bugzilla.redhat.com/2348556
Vendor advisory: alma — https://bugzilla.redhat.com/2348554
Vendor advisory: alma — https://bugzilla.redhat.com/2348550
Vendor advisory: alma — https://bugzilla.redhat.com/2348547
Vendor advisory: alma — https://bugzilla.redhat.com/2348543
Vendor advisory: alma — https://bugzilla.redhat.com/2348541
Vendor advisory: alma — https://bugzilla.redhat.com/2348528
Vendor advisory: alma — https://bugzilla.redhat.com/2348523
Vendor advisory: alma — https://bugzilla.redhat.com/2348515
Vendor advisory: alma — https://bugzilla.redhat.com/2348279
Vendor advisory: alma — https://bugzilla.redhat.com/2348240
Vendor advisory: alma — https://bugzilla.redhat.com/2348238
Vendor advisory: alma — https://bugzilla.redhat.com/2348071
Vendor advisory: alma — https://bugzilla.redhat.com/2348022
Vendor advisory: alma — https://bugzilla.redhat.com/2347968
Vendor advisory: alma — https://bugzilla.redhat.com/2347919
Vendor advisory: alma — https://bugzilla.redhat.com/2347859
Vendor advisory: alma — https://bugzilla.redhat.com/2347807
Vendor advisory: alma — https://bugzilla.redhat.com/2347781
Vendor advisory: alma — https://bugzilla.redhat.com/2347759
Vendor advisory: alma — https://bugzilla.redhat.com/2347753
Vendor advisory: alma — https://bugzilla.redhat.com/2347707
Vendor advisory: alma — https://bugzilla.redhat.com/2346272
Vendor advisory: alma — https://bugzilla.redhat.com/2345240
Vendor advisory: alma — https://bugzilla.redhat.com/2344687
Vendor advisory: alma — https://bugzilla.redhat.com/2344684
Vendor advisory: alma — https://bugzilla.redhat.com/2343175
Vendor advisory: alma — https://bugzilla.redhat.com/2343172
Vendor advisory: alma — https://bugzilla.redhat.com/2338832
Vendor advisory: alma — https://bugzilla.redhat.com/2338828
Vendor advisory: alma — https://bugzilla.redhat.com/2338814
Vendor advisory: alma — https://bugzilla.redhat.com/2337124
Vendor advisory: alma — https://bugzilla.redhat.com/2337121
Vendor advisory: alma — https://bugzilla.redhat.com/2336541
Vendor advisory: alma — https://bugzilla.redhat.com/2334829
Vendor advisory: alma — https://bugzilla.redhat.com/2334795
Vendor advisory: alma — https://bugzilla.redhat.com/2334676
Vendor advisory: alma — https://bugzilla.redhat.com/2334560
Vendor advisory: alma — https://bugzilla.redhat.com/2334548
Vendor advisory: alma — https://bugzilla.redhat.com/2334547
Vendor advisory: alma — https://bugzilla.redhat.com/2334537
Vendor advisory: alma — https://bugzilla.redhat.com/2334439
Vendor advisory: alma — https://bugzilla.redhat.com/2334415
Vendor advisory: alma — https://bugzilla.redhat.com/2334396
Vendor advisory: alma — https://bugzilla.redhat.com/2334357
Vendor advisory: alma — https://bugzilla.redhat.com/2331326
Vendor advisory: alma — https://bugzilla.redhat.com/2330341
Vendor advisory: alma — https://bugzilla.redhat.com/2329918
Vendor advisory: alma — https://bugzilla.redhat.com/2327887
Vendor advisory: alma — https://bugzilla.redhat.com/2327374
Vendor advisory: alma — https://bugzilla.redhat.com/2327203
Vendor advisory: alma — https://bugzilla.redhat.com/2324549
Vendor advisory: alma — https://bugzilla.redhat.com/2320722
Vendor advisory: alma — https://bugzilla.redhat.com/2320616
Vendor advisory: alma — https://bugzilla.redhat.com/2320455
Vendor advisory: alma — https://bugzilla.redhat.com/2320259
Vendor advisory: alma — https://bugzilla.redhat.com/2320172
Vendor advisory: alma — https://bugzilla.redhat.com/2313092
Vendor advisory: alma — https://bugzilla.redhat.com/2312077
Vendor advisory: alma — https://bugzilla.redhat.com/2298169
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2024-53216
Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2025:20518
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2024-53216.html
Vendor advisory: redhat — https://access.redhat.com/errata/RHSA-2025:6966
Vendor advisory: redhat — https://access.redhat.com/errata/RHSA-2025:20518
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| rhel | 9 | fixed | |
| sles | affected | | |
| rocky | 9 | fixed | |
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | forky | fixed | 6.12.3-1 |
| debian | sid | fixed | 6.12.3-1 |
| debian | trixie | fixed | 6.12.3-1 |
| almalinux | 9 | fixed | kernel-doc-5.14.0-611.5.1.el9_7.noarch.rpm |
References
- https://access.redhat.com/errata/RHSA-2025:20518
- https://access.redhat.com/errata/RHSA-2025:6966
- https://www.suse.com/security/cve/CVE-2024-53216.html
- https://errata.rockylinux.org/RLSA-2025:20518
- https://security-tracker.debian.org/tracker/CVE-2024-53216
- https://bugzilla.redhat.com/2298169
- https://bugzilla.redhat.com/2312077
- https://bugzilla.redhat.com/2313092
- https://bugzilla.redhat.com/2320172
- https://bugzilla.redhat.com/2320259
- https://bugzilla.redhat.com/2320455
- https://bugzilla.redhat.com/2320616
- https://bugzilla.redhat.com/2320722
- https://bugzilla.redhat.com/2324549
- https://bugzilla.redhat.com/2327203
- https://bugzilla.redhat.com/2327374
- https://bugzilla.redhat.com/2327887
- https://bugzilla.redhat.com/2329918
- https://bugzilla.redhat.com/2330341
- https://bugzilla.redhat.com/2331326
- https://bugzilla.redhat.com/2334357
- https://bugzilla.redhat.com/2334396
- https://bugzilla.redhat.com/2334415
- https://bugzilla.redhat.com/2334439
- https://bugzilla.redhat.com/2334537
Verify integrity in audit chain (admin only). AS-IS.