CVE-2025-71090

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: fix nfsd_file reference leak in nfsd4_add_rdaccess_to_wrdeleg()<br /> <br /> nfsd4_add_rdaccess_to_wrdeleg() unconditionally overwrites<br /> fp-&gt;fi_fds[O_RDONLY] with a newly acquired nfsd_file. However, if<br /> the client already has a SHARE_ACCESS_READ open from a previous OPEN<br /> operation, this action overwrites the existing pointer without<br /> releasing its reference, orphaning the previous reference.<br /> <br /> Additionally, the function originally stored the same nfsd_file<br /> pointer in both fp-&gt;fi_fds[O_RDONLY] and fp-&gt;fi_rdeleg_file with<br /> only a single reference. When put_deleg_file() runs, it clears<br /> fi_rdeleg_file and calls nfs4_file_put_access() to release the file.<br /> <br /> However, nfs4_file_put_access() only releases fi_fds[O_RDONLY] when<br /> the fi_access[O_RDONLY] counter drops to zero. If another READ open<br /> exists on the file, the counter remains elevated and the nfsd_file<br /> reference from the delegation is never released. This potentially<br /> causes open conflicts on that file.<br /> <br /> Then, on server shutdown, these leaks cause __nfsd_file_cache_purge()<br /> to encounter files with an elevated reference count that cannot be<br /> cleaned up, ultimately triggering a BUG() in kmem_cache_destroy()<br /> because there are still nfsd_file objects allocated in that cache.