Linux Kernel Cache Request Leak Vulnerability in Sunrpc Component

A vulnerability exists in the Linux kernel's sunrpc component, where the cache_request is not properly freed when a reader's file descriptor is closed mid-read. This issue arises because cache_release() decreases the readers count but fails to check if the request should be freed. Although cache_read() includes the necessary cleanup, cache_release() does not. As a result, requests can remain in memory without being cleaned up, leading to a potential memory leak.

Impact

This vulnerability can cause a memory leak by failing to release cache_request objects that are no longer needed, which can accumulate over time and potentially lead to memory exhaustion.

Reproduction

To reproduce this vulnerability, open a file descriptor for reading a cache_request. While still reading (indicated by rp->offset not being zero), close the file descriptor. This will trigger cache_release(), which will decrement the readers count but not free the cache_request, creating a memory leak. The request will only be freed if cache_dequeue() is called, but this only happens when CACHE_PENDING transitions from set to clear, which may not occur if the readers count is still non-zero.

Remediation

The vulnerability has been addressed in the official Linux Git repository. Users can upgrade to the latest version to apply the fix.