CVE-2025-38338
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio()
Sometimes, when a file was read while it was being truncated by
another NFS client, the kernel could deadlock because folio_unlock()
was called twice, and the second call would XOR back the PG_locked
flag.
Most of the time (depending on the timing of the truncation), nobody
notices the problem because folio_unlock() gets called three times,
which flips PG_locked back off:
- vfs_read, nfs_read_folio, … nfs_read_add_folio, nfs_return_empty_folio
- vfs_read, nfs_read_folio, … netfs_read_collection, netfs_unlock_abandoned_read_pages
- vfs_read, … nfs_do_read_folio, nfs_read_add_folio, nfs_return_empty_folio
The problem is that nfs_read_add_folio() is not supposed to unlock the folio if fscache is enabled, and a nfs_netfs_folio_unlock() check is missing in nfs_return_empty_folio().
Rarely this leads to a warning in netfs_read_collection():
————[ cut here ]———— R=0000031c: folio 10 is not locked WARNING: CPU: 0 PID: 29 at fs/netfs/read_collect.c:133 netfs_read_collection+0x7c0/0xf00 […] Workqueue: events_unbound netfs_read_collection_worker RIP: 0010:netfs_read_collection+0x7c0/0xf00 […] Call Trace: <TASK> netfs_read_collection_worker+0x67/0x80 process_one_work+0x12e/0x2c0 worker_thread+0x295/0x3a0
Most of the time, however, processes just get stuck forever in
folio_wait_bit_common(), waiting for PG_locked to disappear, which
never happens because nobody is really holding the folio lock.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 000dbe0bec058cbf2ca9e156e4a5584f5158b0f9 < 14f5549ad163be2c018abc1bb38370fff617a243 | affected |
| Linux | Linux | 000dbe0bec058cbf2ca9e156e4a5584f5158b0f9 < 5bf0b9eeb0174686f22c2e5b8fb9f47ad25da6f5 | affected |
| Linux | Linux | 000dbe0bec058cbf2ca9e156e4a5584f5158b0f9 < 1e93b61d3eaa14bfebcc2716ac09d43f3845d420 | affected |
| Linux | Linux | 000dbe0bec058cbf2ca9e156e4a5584f5158b0f9 < 4c10fa44bc5f700e2ea21de2fbae520ba21f19d9 | affected |
| Linux | Linux | 6.4 | affected |
| Linux | Linux | 0 < 6.4 | unaffected |
| Linux | Linux | 6.6.95 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.35 <= 6.12.* | unaffected |
| Linux | Linux | 6.15.4 <= 6.15.* | unaffected |
| Linux | Linux | 6.16 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/14f5549ad163be2c018abc1bb38370fff617a243
- https://git.kernel.org/stable/c/5bf0b9eeb0174686f22c2e5b8fb9f47ad25da6f5
- https://git.kernel.org/stable/c/1e93b61d3eaa14bfebcc2716ac09d43f3845d420
- https://git.kernel.org/stable/c/4c10fa44bc5f700e2ea21de2fbae520ba21f19d9
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.