CVE-2025-38023

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfs: handle failure of nfs_get_lock_context in unlock path<br /> <br /> When memory is insufficient, the allocation of nfs_lock_context in<br /> nfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat<br /> an nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM)<br /> as valid and proceed to execute rpc_run_task(), this will trigger a NULL<br /> pointer dereference in nfs4_locku_prepare. For example:<br /> <br /> BUG: kernel NULL pointer dereference, address: 000000000000000c<br /> PGD 0 P4D 0<br /> Oops: Oops: 0000 [#1] SMP PTI<br /> CPU: 15 UID: 0 PID: 12 Comm: kworker/u64:0 Not tainted 6.15.0-rc2-dirty #60<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40<br /> Workqueue: rpciod rpc_async_schedule<br /> RIP: 0010:nfs4_locku_prepare+0x35/0xc2<br /> Code: 89 f2 48 89 fd 48 c7 c7 68 69 ef b5 53 48 8b 8e 90 00 00 00 48 89 f3<br /> RSP: 0018:ffffbbafc006bdb8 EFLAGS: 00010246<br /> RAX: 000000000000004b RBX: ffff9b964fc1fa00 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: fffffffffffffff4 RDI: ffff9ba53fddbf40<br /> RBP: ffff9ba539934000 R08: 0000000000000000 R09: ffffbbafc006bc38<br /> R10: ffffffffb6b689c8 R11: 0000000000000003 R12: ffff9ba539934030<br /> R13: 0000000000000001 R14: 0000000004248060 R15: ffffffffb56d1c30<br /> FS: 0000000000000000(0000) GS:ffff9ba5881f0000(0000) knlGS:00000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000000000000000c CR3: 000000093f244000 CR4: 00000000000006f0<br /> Call Trace:<br /> <br /> __rpc_execute+0xbc/0x480<br /> rpc_async_schedule+0x2f/0x40<br /> process_one_work+0x232/0x5d0<br /> worker_thread+0x1da/0x3d0<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0x10d/0x240<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x34/0x50<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> Modules linked in:<br /> CR2: 000000000000000c<br /> ---[ end trace 0000000000000000 ]---<br /> <br /> Free the allocated nfs4_unlockdata when nfs_get_lock_context() fails and<br /> return NULL to terminate subsequent rpc_run_task, preventing NULL pointer<br /> dereference.