cve/published/2025/CVE-2025-22025.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-22025: nfsd: put dl_stid if fail to queue dl_recall

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 nfsd: put dl_stid if fail to queue dl_recall

 Before calling nfsd4_run_cb to queue dl_recall to the callback_wq, we
 increment the reference count of dl_stid.
 We expect that after the corresponding work_struct is processed, the
 reference count of dl_stid will be decremented through the callback
 function nfsd4_cb_recall_release.
 However, if the call to nfsd4_run_cb fails, the incremented reference
 count of dl_stid will not be decremented correspondingly, leading to the
 following nfs4_stid leak:
 unreferenced object 0xffff88812067b578 (size 344):
   comm "nfsd", pid 2761, jiffies 4295044002 (age 5541.241s)
   hex dump (first 32 bytes):
     01 00 00 00 6b 6b 6b 6b b8 02 c0 e2 81 88 ff ff  ....kkkk........
     00 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 ad 4e ad de  .kkkkkkk.....N..
   backtrace:
     kmem_cache_alloc+0x4b9/0x700
     nfsd4_process_open1+0x34/0x300
     nfsd4_open+0x2d1/0x9d0
     nfsd4_proc_compound+0x7a2/0xe30
     nfsd_dispatch+0x241/0x3e0
     svc_process_common+0x5d3/0xcc0
     svc_process+0x2a3/0x320
     nfsd+0x180/0x2e0
     kthread+0x199/0x1d0
     ret_from_fork+0x30/0x50
     ret_from_fork_asm+0x1b/0x30
 unreferenced object 0xffff8881499f4d28 (size 368):
   comm "nfsd", pid 2761, jiffies 4295044005 (age 5541.239s)
   hex dump (first 32 bytes):
     01 00 00 00 00 00 00 00 30 4d 9f 49 81 88 ff ff  ........0M.I....
     30 4d 9f 49 81 88 ff ff 20 00 00 00 01 00 00 00  0M.I.... .......
   backtrace:
     kmem_cache_alloc+0x4b9/0x700
     nfs4_alloc_stid+0x29/0x210
     alloc_init_deleg+0x92/0x2e0
     nfs4_set_delegation+0x284/0xc00
     nfs4_open_delegation+0x216/0x3f0
     nfsd4_process_open2+0x2b3/0xee0
     nfsd4_open+0x770/0x9d0
     nfsd4_proc_compound+0x7a2/0xe30
     nfsd_dispatch+0x241/0x3e0
     svc_process_common+0x5d3/0xcc0
     svc_process+0x2a3/0x320
     nfsd+0x180/0x2e0
     kthread+0x199/0x1d0
     ret_from_fork+0x30/0x50
     ret_from_fork_asm+0x1b/0x30
 Fix it by checking the result of nfsd4_run_cb and call nfs4_put_stid if
 fail to queue dl_recall.

 The Linux kernel CVE team has assigned CVE-2025-22025 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.10.236 with commit b874cdef4e67e5150e07eff0eae1cbb21fb92da1
 	Fixed in 5.15.180 with commit cdb796137c57e68ca34518d53be53b679351eb86
 	Fixed in 6.1.134 with commit d96587cc93ec369031bcd7658c6adc719873c9fd
 	Fixed in 6.6.87 with commit 9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1
 	Fixed in 6.12.23 with commit cad3479b63661a399c9df1d0b759e1806e2df3c8
 	Fixed in 6.13.11 with commit 63b91c8ff4589f5263873b24c052447a28e10ef7
 	Fixed in 6.14.2 with commit 133f5e2a37ce08c82d24e8fba65e0a81deae4609
 	Fixed in 6.15 with commit 230ca758453c63bd38e4d9f4a21db698f7abada8

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-22025
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/nfsd/nfs4state.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/b874cdef4e67e5150e07eff0eae1cbb21fb92da1
 	https://git.kernel.org/stable/c/cdb796137c57e68ca34518d53be53b679351eb86
 	https://git.kernel.org/stable/c/d96587cc93ec369031bcd7658c6adc719873c9fd
 	https://git.kernel.org/stable/c/9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1
 	https://git.kernel.org/stable/c/cad3479b63661a399c9df1d0b759e1806e2df3c8
 	https://git.kernel.org/stable/c/63b91c8ff4589f5263873b24c052447a28e10ef7
 	https://git.kernel.org/stable/c/133f5e2a37ce08c82d24e8fba65e0a81deae4609
 	https://git.kernel.org/stable/c/230ca758453c63bd38e4d9f4a21db698f7abada8
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-22025: nfsd: put dl_stid if fail to queue dl_recall

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	nfsd: put dl_stid if fail to queue dl_recall

	Before calling nfsd4_run_cb to queue dl_recall to the callback_wq, we
	increment the reference count of dl_stid.
	We expect that after the corresponding work_struct is processed, the
	reference count of dl_stid will be decremented through the callback
	function nfsd4_cb_recall_release.
	However, if the call to nfsd4_run_cb fails, the incremented reference
	count of dl_stid will not be decremented correspondingly, leading to the
	following nfs4_stid leak:
	unreferenced object 0xffff88812067b578 (size 344):
	comm "nfsd", pid 2761, jiffies 4295044002 (age 5541.241s)
	hex dump (first 32 bytes):
	01 00 00 00 6b 6b 6b 6b b8 02 c0 e2 81 88 ff ff ....kkkk........
	00 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 ad 4e ad de .kkkkkkk.....N..
	backtrace:
	kmem_cache_alloc+0x4b9/0x700
	nfsd4_process_open1+0x34/0x300
	nfsd4_open+0x2d1/0x9d0
	nfsd4_proc_compound+0x7a2/0xe30
	nfsd_dispatch+0x241/0x3e0
	svc_process_common+0x5d3/0xcc0
	svc_process+0x2a3/0x320
	nfsd+0x180/0x2e0
	kthread+0x199/0x1d0
	ret_from_fork+0x30/0x50
	ret_from_fork_asm+0x1b/0x30
	unreferenced object 0xffff8881499f4d28 (size 368):
	comm "nfsd", pid 2761, jiffies 4295044005 (age 5541.239s)
	hex dump (first 32 bytes):
	01 00 00 00 00 00 00 00 30 4d 9f 49 81 88 ff ff ........0M.I....
	30 4d 9f 49 81 88 ff ff 20 00 00 00 01 00 00 00 0M.I.... .......
	backtrace:
	kmem_cache_alloc+0x4b9/0x700
	nfs4_alloc_stid+0x29/0x210
	alloc_init_deleg+0x92/0x2e0
	nfs4_set_delegation+0x284/0xc00
	nfs4_open_delegation+0x216/0x3f0
	nfsd4_process_open2+0x2b3/0xee0
	nfsd4_open+0x770/0x9d0
	nfsd4_proc_compound+0x7a2/0xe30
	nfsd_dispatch+0x241/0x3e0
	svc_process_common+0x5d3/0xcc0
	svc_process+0x2a3/0x320
	nfsd+0x180/0x2e0
	kthread+0x199/0x1d0
	ret_from_fork+0x30/0x50
	ret_from_fork_asm+0x1b/0x30
	Fix it by checking the result of nfsd4_run_cb and call nfs4_put_stid if
	fail to queue dl_recall.

	The Linux kernel CVE team has assigned CVE-2025-22025 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.10.236 with commit b874cdef4e67e5150e07eff0eae1cbb21fb92da1
	Fixed in 5.15.180 with commit cdb796137c57e68ca34518d53be53b679351eb86
	Fixed in 6.1.134 with commit d96587cc93ec369031bcd7658c6adc719873c9fd
	Fixed in 6.6.87 with commit 9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1
	Fixed in 6.12.23 with commit cad3479b63661a399c9df1d0b759e1806e2df3c8
	Fixed in 6.13.11 with commit 63b91c8ff4589f5263873b24c052447a28e10ef7
	Fixed in 6.14.2 with commit 133f5e2a37ce08c82d24e8fba65e0a81deae4609
	Fixed in 6.15 with commit 230ca758453c63bd38e4d9f4a21db698f7abada8

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-22025
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/nfsd/nfs4state.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/b874cdef4e67e5150e07eff0eae1cbb21fb92da1
	https://git.kernel.org/stable/c/cdb796137c57e68ca34518d53be53b679351eb86
	https://git.kernel.org/stable/c/d96587cc93ec369031bcd7658c6adc719873c9fd
	https://git.kernel.org/stable/c/9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1
	https://git.kernel.org/stable/c/cad3479b63661a399c9df1d0b759e1806e2df3c8
	https://git.kernel.org/stable/c/63b91c8ff4589f5263873b24c052447a28e10ef7
	https://git.kernel.org/stable/c/133f5e2a37ce08c82d24e8fba65e0a81deae4609
	https://git.kernel.org/stable/c/230ca758453c63bd38e4d9f4a21db698f7abada8