CVE-2025-40273

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFSD: free copynotify stateid in nfs4_free_ol_stateid()<br /> <br /> Typically copynotify stateid is freed either when parent&amp;#39;s stateid<br /> is being close/freed or in nfsd4_laundromat if the stateid hasn&amp;#39;t<br /> been used in a lease period.<br /> <br /> However, in case when the server got an OPEN (which created<br /> a parent stateid), followed by a COPY_NOTIFY using that stateid,<br /> followed by a client reboot. New client instance while doing<br /> CREATE_SESSION would force expire previous state of this client.<br /> It leads to the open state being freed thru release_openowner-&gt;<br /> nfs4_free_ol_stateid() and it finds that it still has copynotify<br /> stateid associated with it. We currently print a warning and is<br /> triggerred<br /> <br /> WARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd]<br /> <br /> This patch, instead, frees the associated copynotify stateid here.<br /> <br /> If the parent stateid is freed (without freeing the copynotify<br /> stateids associated with it), it leads to the list corruption<br /> when laundromat ends up freeing the copynotify state later.<br /> <br /> [ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP<br /> [ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink<br /> [ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary)<br /> [ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN<br /> [ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024<br /> [ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd]<br /> [ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)<br /> [ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200<br /> [ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200<br /> [ 1626.861182] sp : ffff8000881d7a40<br /> [ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200<br /> [ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20<br /> [ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8<br /> [ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000<br /> [ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065<br /> [ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3<br /> [ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000<br /> [ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001<br /> [ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000<br /> [ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d<br /> [ 1626.868167] Call trace:<br /> [ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P)<br /> [ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd]<br /> [ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd]<br /> [ 1626.869813] laundromat_main+0x24/0x60 [nfsd]<br /> [ 1626.870231] process_one_work+0x584/0x1050<br /> [ 1626.870595] worker_thread+0x4c4/0xc60<br /> [ 1626.870893] kthread+0x2f8/0x398<br /> [ 1626.871146] ret_from_fork+0x10/0x20<br /> [ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000)<br /> [ 1626.871892] SMP: stopping secondary CPUs