CVE-2025-22025

Summary

In the Linux kernel, the following vulnerability has been resolved:

nfsd: put dl_stid if fail to queue dl_recall

Before calling nfsd4_run_cb to queue dl_recall to the callback_wq, we increment the reference count of dl_stid. We expect that after the corresponding work_struct is processed, the reference count of dl_stid will be decremented through the callback function nfsd4_cb_recall_release. However, if the call to nfsd4_run_cb fails, the incremented reference count of dl_stid will not be decremented correspondingly, leading to the following nfs4_stid leak: unreferenced object 0xffff88812067b578 (size 344): comm "nfsd", pid 2761, jiffies 4295044002 (age 5541.241s) hex dump (first 32 bytes): 01 00 00 00 6b 6b 6b 6b b8 02 c0 e2 81 88 ff ff ….kkkk…….. 00 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 ad 4e ad de .kkkkkkk…..N.. backtrace: kmem_cache_alloc+0x4b9/0x700 nfsd4_process_open1+0x34/0x300 nfsd4_open+0x2d1/0x9d0 nfsd4_proc_compound+0x7a2/0xe30 nfsd_dispatch+0x241/0x3e0 svc_process_common+0x5d3/0xcc0 svc_process+0x2a3/0x320 nfsd+0x180/0x2e0 kthread+0x199/0x1d0 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1b/0x30 unreferenced object 0xffff8881499f4d28 (size 368): comm "nfsd", pid 2761, jiffies 4295044005 (age 5541.239s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 30 4d 9f 49 81 88 ff ff ……..0M.I…. 30 4d 9f 49 81 88 ff ff 20 00 00 00 01 00 00 00 0M.I…. ……. backtrace: kmem_cache_alloc+0x4b9/0x700 nfs4_alloc_stid+0x29/0x210 alloc_init_deleg+0x92/0x2e0 nfs4_set_delegation+0x284/0xc00 nfs4_open_delegation+0x216/0x3f0 nfsd4_process_open2+0x2b3/0xee0 nfsd4_open+0x770/0x9d0 nfsd4_proc_compound+0x7a2/0xe30 nfsd_dispatch+0x241/0x3e0 svc_process_common+0x5d3/0xcc0 svc_process+0x2a3/0x320 nfsd+0x180/0x2e0 kthread+0x199/0x1d0 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1b/0x30 Fix it by checking the result of nfsd4_run_cb and call nfs4_put_stid if fail to queue dl_recall.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxb5a1a81e5c25fb6bb3fdc1812ba69ff6ab638fcf < b874cdef4e67e5150e07eff0eae1cbb21fb92da1affected
LinuxLinuxb5a1a81e5c25fb6bb3fdc1812ba69ff6ab638fcf < cdb796137c57e68ca34518d53be53b679351eb86affected
LinuxLinuxb5a1a81e5c25fb6bb3fdc1812ba69ff6ab638fcf < d96587cc93ec369031bcd7658c6adc719873c9fdaffected
LinuxLinuxb5a1a81e5c25fb6bb3fdc1812ba69ff6ab638fcf < 9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1affected
LinuxLinuxb5a1a81e5c25fb6bb3fdc1812ba69ff6ab638fcf < cad3479b63661a399c9df1d0b759e1806e2df3c8affected
LinuxLinuxb5a1a81e5c25fb6bb3fdc1812ba69ff6ab638fcf < 63b91c8ff4589f5263873b24c052447a28e10ef7affected
LinuxLinuxb5a1a81e5c25fb6bb3fdc1812ba69ff6ab638fcf < 133f5e2a37ce08c82d24e8fba65e0a81deae4609affected
LinuxLinuxb5a1a81e5c25fb6bb3fdc1812ba69ff6ab638fcf < 230ca758453c63bd38e4d9f4a21db698f7abada8affected
LinuxLinux2.6.35affected
LinuxLinux0 < 2.6.35unaffected
LinuxLinux5.10.236 <= 5.10.*unaffected
LinuxLinux5.15.180 <= 5.15.*unaffected
LinuxLinux6.1.134 <= 6.1.*unaffected
LinuxLinux6.6.87 <= 6.6.*unaffected
LinuxLinux6.12.23 <= 6.12.*unaffected
LinuxLinux6.13.11 <= 6.13.*unaffected
LinuxLinux6.14.2 <= 6.14.*unaffected
LinuxLinux6.15 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References