CVE-2024-26629

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified)

Description: The issue is related to a vulnerability in the Linux kernel's nfsd module, specifically in the nfsd4 release lockowner() function. The test on so count can transiently return a false positive, resulting in a return of NFS4ERR LOCKS HELD when in fact no locks are held. This is a protocol violation and can cause incorrect behavior with the Linux NFS client. If RELEASE LOCKOWNER is sent while another thread is still processing a LOCK request that failed due to a conflicting lock, the nfsd thread can hold a reference to the lock owner, causing nfsd4 release lockowner() to return an incorrect error. The Linux NFS client ignores this error because it never sends NFS4 RELEASE LOCKOWNER without first releasing any locks. However, when it reuses a lock owner identifier for which a previous RELEASE failed, it will use a lock seqid of zero, but the server will expect a larger lock seqid and respond with NFS4ERR BAD SEQID. The patch changes check for locks() to use find any file locked() to avoid taking a reference on the nfs4 file and never calling nfsd file put(), thus never sleeping.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.