VYPR
← All advisories
High severity7.8NVD Advisory· Published Nov 5, 2024· Updated May 12, 2026

CVE-2024-50121

CVE-2024-50121

Description

In the Linux kernel, the following vulnerability has been resolved:

nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net

In the normal case, when we excute echo 0 > /proc/fs/nfsd/threads, the function nfs4_state_destroy_net in nfs4_state_shutdown_net will release all resources related to the hashed nfs4_client. If the nfsd_client_shrinker is running concurrently, the expire_client function will first unhash this client and then destroy it. This can lead to the following warning. Additionally, numerous use-after-free errors may occur as well.

nfsd_client_shrinker echo 0 > /proc/fs/nfsd/threads

expire_client nfsd_shutdown_net unhash_client ... nfs4_state_shutdown_net /* won't wait shrinker exit */ /* cancel_work(&nn->nfsd_shrinker_work) * nfsd_file for this /* won't destroy unhashed client1 */ * client1 still alive nfs4_state_destroy_net */

nfsd_file_cache_shutdown /* trigger warning */ kmem_cache_destroy(nfsd_file_slab) kmem_cache_destroy(nfsd_file_mark_slab) /* release nfsd_file and mark */ __destroy_client

==================================================================== BUG nfsd_file (Not tainted): Objects remaining in nfsd_file on __kmem_cache_shutdown() -------------------------------------------------------------------- CPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1

dump_stack_lvl+0x53/0x70 slab_err+0xb0/0xf0 __kmem_cache_shutdown+0x15c/0x310 kmem_cache_destroy+0x66/0x160 nfsd_file_cache_shutdown+0xac/0x210 [nfsd] nfsd_destroy_serv+0x251/0x2a0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e

==================================================================== BUG nfsd_file_mark (Tainted: G B W ): Objects remaining nfsd_file_mark on __kmem_cache_shutdown() --------------------------------------------------------------------

dump_stack_lvl+0x53/0x70 slab_err+0xb0/0xf0 __kmem_cache_shutdown+0x15c/0x310 kmem_cache_destroy+0x66/0x160 nfsd_file_cache_shutdown+0xc8/0x210 [nfsd] nfsd_destroy_serv+0x251/0x2a0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e

To resolve this issue, cancel nfsd_shrinker_work using synchronous mode in nfs4_state_shutdown_net.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel, a race condition in NFSD's client shutdown was fixed by canceling nfsd_shrinker_work in sync mode.

A race condition in the Linux kernel's NFS daemon (nfsd) could lead to a slab-use-after-free or kernel warning [1]. The bug occurs when nfsd_client_shrinker concurrently runs expire_client while the system executes echo 0 > /proc/fs/nfsd/threads to shut down the NFS server [1]. The shrinker may unhash a client that is still referenced, and the shutdown path (nfs4_state_shutdown_net) previously called cancel_work on nfsd_shrinker_work in a non-sync manner, allowing the shrinker to continue after the cancellation [1]. This results in leftover nfsd_file objects being destroyed after the associated slab caches (e.g., nfsd_file_slab, nfsd_file_mark_slab) have been shut down, triggering a BUG warning: Objects remaining in nfsd_file on __kmem_cache_shutdown() [1].

An attacker with local access and the ability to trigger NFS activity and then stop the NFS server (e.g., by writing to /proc/fs/nfsd/threads) could potentially exploit this race to cause a use-after-free [1]. The attack requires control over the timing of NFS client operations and server shutdown but does not require network access beyond local NFS client capabilities [1]. The race window is small but deterministic under controlled conditions, making it a realistic local denial-of-service or privilege-escalation vector [1].

The impact is a kernel crash in the form of a BUG warning and slab corruption, which can lead to system instability or arbitrary code execution due to use-after-free of nfsd_file objects [1]. The issue is rated High with a CVSS v3 score of 7.8, indicating significant impact on confidentiality, integrity, and availability if exploited [1].

The fix has been applied in the Linux kernel stable branches via commit add1df5eba163a3a6ece11cb85890e2e410baaea [2]. The patch changes the nfs4_state_shutdown_net function to call cancel_work_sync(&nn->nfsd_shrinker_work) instead of cancel_work, ensuring the shrinker work is fully completed before proceeding with resource destruction [1][2]. Users should update to a kernel version containing this commit to mitigate the vulnerability [1][2]. In environments where immediate patching is not possible, reducing NFS client activity prior to server shutdown may reduce the risk of triggering the race [1].

References
  1. SSA-265688
  2. Making sure you're not a bot!

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

73

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

9

News mentions

0

No linked articles in our index yet.