CVE-2025-22025 | THREATINT

Description

In the Linux kernel, the following vulnerability has been resolved: nfsd: put dl_stid if fail to queue dl_recall Before calling nfsd4_run_cb to queue dl_recall to the callback_wq, we increment the reference count of dl_stid. We expect that after the corresponding work_struct is processed, the reference count of dl_stid will be decremented through the callback function nfsd4_cb_recall_release. However, if the call to nfsd4_run_cb fails, the incremented reference count of dl_stid will not be decremented correspondingly, leading to the following nfs4_stid leak: unreferenced object 0xffff88812067b578 (size 344): comm "nfsd", pid 2761, jiffies 4295044002 (age 5541.241s) hex dump (first 32 bytes): 01 00 00 00 6b 6b 6b 6b b8 02 c0 e2 81 88 ff ff ....kkkk........ 00 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 ad 4e ad de .kkkkkkk.....N.. backtrace: kmem_cache_alloc+0x4b9/0x700 nfsd4_process_open1+0x34/0x300 nfsd4_open+0x2d1/0x9d0 nfsd4_proc_compound+0x7a2/0xe30 nfsd_dispatch+0x241/0x3e0 svc_process_common+0x5d3/0xcc0 svc_process+0x2a3/0x320 nfsd+0x180/0x2e0 kthread+0x199/0x1d0 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1b/0x30 unreferenced object 0xffff8881499f4d28 (size 368): comm "nfsd", pid 2761, jiffies 4295044005 (age 5541.239s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 30 4d 9f 49 81 88 ff ff ........0M.I.... 30 4d 9f 49 81 88 ff ff 20 00 00 00 01 00 00 00 0M.I.... ....... backtrace: kmem_cache_alloc+0x4b9/0x700 nfs4_alloc_stid+0x29/0x210 alloc_init_deleg+0x92/0x2e0 nfs4_set_delegation+0x284/0xc00 nfs4_open_delegation+0x216/0x3f0 nfsd4_process_open2+0x2b3/0xee0 nfsd4_open+0x770/0x9d0 nfsd4_proc_compound+0x7a2/0xe30 nfsd_dispatch+0x241/0x3e0 svc_process_common+0x5d3/0xcc0 svc_process+0x2a3/0x320 nfsd+0x180/0x2e0 kthread+0x199/0x1d0 ret_from_fork+0x30/0x50 ret_from_fork_asm+0x1b/0x30 Fix it by checking the result of nfsd4_run_cb and call nfs4_put_stid if fail to queue dl_recall.

Reserved 2024-12-29 | Published 2025-04-16 | Updated 2025-05-26 | Assigner Linux

Product status

Default status

unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before b874cdef4e67e5150e07eff0eae1cbb21fb92da1

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before cdb796137c57e68ca34518d53be53b679351eb86

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before d96587cc93ec369031bcd7658c6adc719873c9fd

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before cad3479b63661a399c9df1d0b759e1806e2df3c8

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 63b91c8ff4589f5263873b24c052447a28e10ef7

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 133f5e2a37ce08c82d24e8fba65e0a81deae4609

affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 230ca758453c63bd38e4d9f4a21db698f7abada8

affected

Default status

affected

5.10.236

unaffected

5.15.180

unaffected

6.1.134

unaffected

6.6.87

unaffected

6.12.23

unaffected

6.13.11

unaffected

6.14.2

unaffected

6.15

unaffected

References

git.kernel.org/...c/b874cdef4e67e5150e07eff0eae1cbb21fb92da1

git.kernel.org/...c/cdb796137c57e68ca34518d53be53b679351eb86

git.kernel.org/...c/d96587cc93ec369031bcd7658c6adc719873c9fd

git.kernel.org/...c/9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1

git.kernel.org/...c/cad3479b63661a399c9df1d0b759e1806e2df3c8

git.kernel.org/...c/63b91c8ff4589f5263873b24c052447a28e10ef7

git.kernel.org/...c/133f5e2a37ce08c82d24e8fba65e0a81deae4609

git.kernel.org/...c/230ca758453c63bd38e4d9f4a21db698f7abada8

cve.org (CVE-2025-22025)

nvd.nist.gov (CVE-2025-22025)

Download JSON