Linux Kernel NFSv4.1 Double Reference Count Vulnerability Leading to Use-After-Free

A vulnerability in the Linux kernel's NFSv4.1 implementation can cause a double reference count issue, leading to a use-after-free condition. This occurs when the callback transport is improperly managed during error handling, allowing for memory corruption.

Impact

The vulnerability causes a reference count underflow, which can lead to a use-after-free condition, allowing for potential memory corruption or exploitation.

Reproduction

The vulnerability can be reproduced by triggering an error in the NFSv4.1 callback client setup process. This can be done by simulating a failure that prevents the callback transport from being properly established, while also causing the error handling path to incorrectly release the transport reference. This sequence of events will create a double reference count issue, which can be observed in the kernel's reference count management.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux Kernel Git Repository under the stable branch.