CVE-2025-21796

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: clear acl_access/acl_default after releasing them<br /> <br /> If getting acl_default fails, acl_access and acl_default will be released<br /> simultaneously. However, acl_access will still retain a pointer pointing<br /> to the released posix_acl, which will trigger a WARNING in<br /> nfs3svc_release_getacl like this:<br /> <br /> ------------[ cut here ]------------<br /> refcount_t: underflow; use-after-free.<br /> WARNING: CPU: 26 PID: 3199 at lib/refcount.c:28<br /> refcount_warn_saturate+0xb5/0x170<br /> Modules linked in:<br /> CPU: 26 UID: 0 PID: 3199 Comm: nfsd Not tainted<br /> 6.12.0-rc6-00079-g04ae226af01f-dirty #8<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS<br /> 1.16.1-2.fc37 04/01/2014<br /> RIP: 0010:refcount_warn_saturate+0xb5/0x170<br /> Code: cc cc 0f b6 1d b3 20 a5 03 80 fb 01 0f 87 65 48 d8 00 83 e3 01 75<br /> e4 48 c7 c7 c0 3b 9b 85 c6 05 97 20 a5 03 01 e8 fb 3e 30 ff 0b eb<br /> cd 0f b6 1d 8a3<br /> RSP: 0018:ffffc90008637cd8 EFLAGS: 00010282<br /> RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff83904fde<br /> RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88871ed36380<br /> RBP: ffff888158beeb40 R08: 0000000000000001 R09: fffff520010c6f56<br /> R10: ffffc90008637ab7 R11: 0000000000000001 R12: 0000000000000001<br /> R13: ffff888140e77400 R14: ffff888140e77408 R15: ffffffff858b42c0<br /> FS: 0000000000000000(0000) GS:ffff88871ed00000(0000)<br /> knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000562384d32158 CR3: 000000055cc6a000 CR4: 00000000000006f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> ? refcount_warn_saturate+0xb5/0x170<br /> ? __warn+0xa5/0x140<br /> ? refcount_warn_saturate+0xb5/0x170<br /> ? report_bug+0x1b1/0x1e0<br /> ? handle_bug+0x53/0xa0<br /> ? exc_invalid_op+0x17/0x40<br /> ? asm_exc_invalid_op+0x1a/0x20<br /> ? tick_nohz_tick_stopped+0x1e/0x40<br /> ? refcount_warn_saturate+0xb5/0x170<br /> ? refcount_warn_saturate+0xb5/0x170<br /> nfs3svc_release_getacl+0xc9/0xe0<br /> svc_process_common+0x5db/0xb60<br /> ? __pfx_svc_process_common+0x10/0x10<br /> ? __rcu_read_unlock+0x69/0xa0<br /> ? __pfx_nfsd_dispatch+0x10/0x10<br /> ? svc_xprt_received+0xa1/0x120<br /> ? xdr_init_decode+0x11d/0x190<br /> svc_process+0x2a7/0x330<br /> svc_handle_xprt+0x69d/0x940<br /> svc_recv+0x180/0x2d0<br /> nfsd+0x168/0x200<br /> ? __pfx_nfsd+0x10/0x10<br /> kthread+0x1a2/0x1e0<br /> ? kthread+0xf4/0x1e0<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x34/0x60<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> Kernel panic - not syncing: kernel: panic_on_warn set ...<br /> <br /> Clear acl_access/acl_default after posix_acl_release is called to prevent<br /> UAF from being triggered.