CVE-2025-22025
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
16/04/2025
Last modified:
03/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
nfsd: put dl_stid if fail to queue dl_recall<br />
<br />
Before calling nfsd4_run_cb to queue dl_recall to the callback_wq, we<br />
increment the reference count of dl_stid.<br />
We expect that after the corresponding work_struct is processed, the<br />
reference count of dl_stid will be decremented through the callback<br />
function nfsd4_cb_recall_release.<br />
However, if the call to nfsd4_run_cb fails, the incremented reference<br />
count of dl_stid will not be decremented correspondingly, leading to the<br />
following nfs4_stid leak:<br />
unreferenced object 0xffff88812067b578 (size 344):<br />
comm "nfsd", pid 2761, jiffies 4295044002 (age 5541.241s)<br />
hex dump (first 32 bytes):<br />
01 00 00 00 6b 6b 6b 6b b8 02 c0 e2 81 88 ff ff ....kkkk........<br />
00 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 ad 4e ad de .kkkkkkk.....N..<br />
backtrace:<br />
kmem_cache_alloc+0x4b9/0x700<br />
nfsd4_process_open1+0x34/0x300<br />
nfsd4_open+0x2d1/0x9d0<br />
nfsd4_proc_compound+0x7a2/0xe30<br />
nfsd_dispatch+0x241/0x3e0<br />
svc_process_common+0x5d3/0xcc0<br />
svc_process+0x2a3/0x320<br />
nfsd+0x180/0x2e0<br />
kthread+0x199/0x1d0<br />
ret_from_fork+0x30/0x50<br />
ret_from_fork_asm+0x1b/0x30<br />
unreferenced object 0xffff8881499f4d28 (size 368):<br />
comm "nfsd", pid 2761, jiffies 4295044005 (age 5541.239s)<br />
hex dump (first 32 bytes):<br />
01 00 00 00 00 00 00 00 30 4d 9f 49 81 88 ff ff ........0M.I....<br />
30 4d 9f 49 81 88 ff ff 20 00 00 00 01 00 00 00 0M.I.... .......<br />
backtrace:<br />
kmem_cache_alloc+0x4b9/0x700<br />
nfs4_alloc_stid+0x29/0x210<br />
alloc_init_deleg+0x92/0x2e0<br />
nfs4_set_delegation+0x284/0xc00<br />
nfs4_open_delegation+0x216/0x3f0<br />
nfsd4_process_open2+0x2b3/0xee0<br />
nfsd4_open+0x770/0x9d0<br />
nfsd4_proc_compound+0x7a2/0xe30<br />
nfsd_dispatch+0x241/0x3e0<br />
svc_process_common+0x5d3/0xcc0<br />
svc_process+0x2a3/0x320<br />
nfsd+0x180/0x2e0<br />
kthread+0x199/0x1d0<br />
ret_from_fork+0x30/0x50<br />
ret_from_fork_asm+0x1b/0x30<br />
Fix it by checking the result of nfsd4_run_cb and call nfs4_put_stid if<br />
fail to queue dl_recall.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.10.236 (excluding) | |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.180 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.134 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.87 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.23 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.13.11 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.14 (including) | 6.14.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/133f5e2a37ce08c82d24e8fba65e0a81deae4609
- https://git.kernel.org/stable/c/230ca758453c63bd38e4d9f4a21db698f7abada8
- https://git.kernel.org/stable/c/63b91c8ff4589f5263873b24c052447a28e10ef7
- https://git.kernel.org/stable/c/9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1
- https://git.kernel.org/stable/c/b874cdef4e67e5150e07eff0eae1cbb21fb92da1
- https://git.kernel.org/stable/c/cad3479b63661a399c9df1d0b759e1806e2df3c8
- https://git.kernel.org/stable/c/cdb796137c57e68ca34518d53be53b679351eb86
- https://git.kernel.org/stable/c/d96587cc93ec369031bcd7658c6adc719873c9fd
- https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
- https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html