CVE-2025-39688

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: allow SC_STATUS_FREEABLE when searching via nfs4_lookup_stateid()<br /> <br /> The pynfs DELEG8 test fails when run against nfsd. It acquires a<br /> delegation and then lets the lease time out. It then tries to use the<br /> deleg stateid and expects to see NFS4ERR_DELEG_REVOKED, but it gets<br /> bad NFS4ERR_BAD_STATEID instead.<br /> <br /> When a delegation is revoked, it&amp;#39;s initially marked with<br /> SC_STATUS_REVOKED, or SC_STATUS_ADMIN_REVOKED and later, it&amp;#39;s marked<br /> with the SC_STATUS_FREEABLE flag, which denotes that it is waiting for<br /> s FREE_STATEID call.<br /> <br /> nfs4_lookup_stateid() accepts a statusmask that includes the status<br /> flags that a found stateid is allowed to have. Currently, that mask<br /> never includes SC_STATUS_FREEABLE, which means that revoked delegations<br /> are (almost) never found.<br /> <br /> Add SC_STATUS_FREEABLE to the always-allowed status flags, and remove it<br /> from nfsd4_delegreturn() since it&amp;#39;s now always implied.