{"id":"CVE-2022-50241","summary":"NFSD: fix use-after-free on source server when doing inter-server copy","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: fix use-after-free on source server when doing inter-server copy\n\nUse-after-free occurred when the laundromat tried to free expired\ncpntf_state entry on the s2s_cp_stateids list after inter-server\ncopy completed. The sc_cp_list that the expired copy state was\ninserted on was already freed.\n\nWhen COPY completes, the Linux client normally sends LOCKU(lock_state x),\nFREE_STATEID(lock_state x) and CLOSE(open_state y) to the source server.\nThe nfs4_put_stid call from nfsd4_free_stateid cleans up the copy state\nfrom the s2s_cp_stateids list before freeing the lock state's stid.\n\nHowever, sometimes the CLOSE was sent before the FREE_STATEID request.\nWhen this happens, the nfsd4_close_open_stateid call from nfsd4_close\nfrees all lock states on its st_locks list without cleaning up the copy\nstate on the sc_cp_list list. When the time the FREE_STATEID arrives the\nserver returns BAD_STATEID since the lock state was freed. This causes\nthe use-after-free error to occur when the laundromat tries to free\nthe expired cpntf_state.\n\nThis patch adds a call to nfs4_free_cpntf_statelist in\nnfsd4_close_open_stateid to clean up the copy state before calling\nfree_ol_stateid_reaplist to free the lock state's stid on the reaplist.","modified":"2026-04-02T08:28:20.809190Z","published":"2025-09-15T14:01:47.539Z","related":["SUSE-SU-2025:03615-1","SUSE-SU-2025:03628-1","SUSE-SU-2025:3716-1","SUSE-SU-2025:3761-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50241.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/019805fea91599b22dfa62ffb29c022f35abeb06"},{"type":"WEB","url":"https://git.kernel.org/stable/c/35aa0fb8c3033a3d78603356e96fc18c5b9cceb2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6ea71246b7a02af675d733e72d14bd0d591d5f4a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/83b94969751a691347606dbe6b1865efcfa5a643"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bbacfcde5fff25ac22597e8373a065c647da6738"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50241.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-50241"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"624322f1adc58acd0b69f77a6ddc764207e97241"},{"fixed":"bbacfcde5fff25ac22597e8373a065c647da6738"},{"fixed":"83b94969751a691347606dbe6b1865efcfa5a643"},{"fixed":"6ea71246b7a02af675d733e72d14bd0d591d5f4a"},{"fixed":"35aa0fb8c3033a3d78603356e96fc18c5b9cceb2"},{"fixed":"019805fea91599b22dfa62ffb29c022f35abeb06"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50241.json"}}],"schema_version":"1.7.5"}