HIGH
nfsd Grace Period UAF
CVE-2026-22980
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: nfsd: provide locking for v4_end_grace Writing to v4_end_grace can race with server shutdown and result in memory being accessed after it was freed - reclaim_str_hashtbl in particularly. We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is held while client_tracking_op->init() is called and that can wait for an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a deadlock. nfsd4_end_grace() is also called by the landromat work queue and this doesn't require locking as server shutdown will stop the work and wait for it before freeing anything that nfsd4_end_grace() might access. However, we must be sure that writing to v4_end_grace doesn't restart the work item after shutdown has already waited for it. For this we add a new flag protected with nn->client_lock. It is set only while it is safe to make client tracking calls, and v4_end_grace only schedules work while the flag is set with the spinlock held. So this patch adds a nfsd_net field "client_tracking_active" which is set as described. Another field "grace_end_forced", is set when v4_end_grace is written. After this is set, and providing client_tracking_active is set, the laundromat is scheduled. This "grace_end_forced" field bypasses other checks for whether the grace period has finished. This resolves a race which can result in use-after-free.
02KernelScan AI Analysis
Risk summary
An attacker with root privileges can trigger a use-after-free vulnerability by writing to the NFS v4_end_grace procfs file during server shutdown, potentially leading to kernel memory corruption, system crashes, or privilege escalation. The attack requires precise timing to exploit the race condition between grace period termination and server shutdown.
Vulnerability analysis
Root Cause: A race condition exists between writing to the v4_end_grace procfs file and NFS server shutdown. When userspace writes to v4_end_grace during server shutdown, it can trigger nfsd4_end_grace() which accesses memory structures (particularly reclaim_str_hashtbl) that have already been freed during the shutdown process. The original code lacked proper synchronization between the grace period termination path and server lifecycle management.
Attack Surface: Local attack surface requiring write access to /proc/fs/nfsd/v4_end_grace, which typically requires root privileges. The vulnerability is triggered through the procfs interface during specific timing windows when the NFS server is shutting down.
Fix Mechanism: The patch introduces two new flags protected by nn->client_lock spinlock: 'client_tracking_active' (set only when it's safe to make client tracking calls) and 'grace_end_forced' (set when v4_end_grace is written). The fix replaces direct calls to nfsd4_end_grace() with nfsd4_force_end_grace() which checks these flags under spinlock protection. The laundromat work is only scheduled if client_tracking_active is true, preventing work scheduling after shutdown has already waited for completion. The grace_end_forced flag bypasses normal grace period completion checks.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.248 | ca97360860eb |
| 5.15 | 5.15.198 | e8bfa2401d4c |
| 6.1 | 6.1.161 | 34eb22836e0c |
| 6.12 | 6.12.66 | ba4811c8b433 |
| 6.18 | 6.18.6 | 53f07d095e7e |
| 6.6 | 6.6.121 | 06600719d0f7 |
| mainline | 6.19 | 2857bd59feb6 |