Linux Kernel NFS NULL Pointer Dereference Vulnerability in Lock Context Handling

A vulnerability in the Linux kernel's NFS (Network File System) implementation can lead to a NULL pointer dereference. This issue arises in the lock context management, specifically within the 'nfs_get_lock_context' function. When memory is low, the function fails to allocate a necessary lock context and returns an error code indicating insufficient memory. If this error is not properly handled and the invalid unlock data is processed, it can trigger a NULL pointer dereference in a subsequent function, causing a kernel crash.

Impact

Exploitation of this vulnerability leads to a kernel crash due to a NULL pointer dereference, disrupting system operations and potentially causing a denial of service.

Reproduction

The vulnerability can be reproduced by simulating low memory conditions that cause 'nfs_get_lock_context' to fail and return an error. If the error is not properly managed and the invalid unlock data is sent to 'rpc_run_task', the system will experience a NULL pointer dereference in 'nfs4_locku_prepare', causing a kernel crash.

Remediation

Free the allocated 'nfs4_unlockdata' when 'nfs_get_lock_context' fails and return NULL to prevent the NULL pointer dereference.