CVE-2025-39688

Summary

In the Linux kernel, the following vulnerability has been resolved:

nfsd: allow SC_STATUS_FREEABLE when searching via nfs4_lookup_stateid()

The pynfs DELEG8 test fails when run against nfsd. It acquires a delegation and then lets the lease time out. It then tries to use the deleg stateid and expects to see NFS4ERR_DELEG_REVOKED, but it gets bad NFS4ERR_BAD_STATEID instead.

When a delegation is revoked, it's initially marked with SC_STATUS_REVOKED, or SC_STATUS_ADMIN_REVOKED and later, it's marked with the SC_STATUS_FREEABLE flag, which denotes that it is waiting for s FREE_STATEID call.

nfs4_lookup_stateid() accepts a statusmask that includes the status flags that a found stateid is allowed to have. Currently, that mask never includes SC_STATUS_FREEABLE, which means that revoked delegations are (almost) never found.

Add SC_STATUS_FREEABLE to the always-allowed status flags, and remove it from nfsd4_delegreturn() since it's now always implied.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux8dd91e8d31febf4d9cca3ae1bb4771d33ae7ee5a < 52e209203c35a4fbff8af23cd3613efe5df40102affected
LinuxLinux8dd91e8d31febf4d9cca3ae1bb4771d33ae7ee5a < dc6f3295905d7185e71091870119a8c11c3808ccaffected
LinuxLinux8dd91e8d31febf4d9cca3ae1bb4771d33ae7ee5a < 5bcb44e650bc4ec7eac23df90c5e011a77fa2bebaffected
LinuxLinux8dd91e8d31febf4d9cca3ae1bb4771d33ae7ee5a < d1bc15b147d35b4cb7ca99a9a7d79d41ca342c13affected
LinuxLinux967faa26f313a62e7bebc55d5b8122eaee43b929affected
LinuxLinux6.11.6 < 6.12affected
LinuxLinux6.12affected
LinuxLinux0 < 6.12unaffected
LinuxLinux6.12.23 <= 6.12.*unaffected
LinuxLinux6.13.11 <= 6.13.*unaffected
LinuxLinux6.14.2 <= 6.14.*unaffected
LinuxLinux6.15 <= *unaffected

Weaknesses

References