{ "threat_severity" : "Moderate", "public_date" : "2025-04-16T00:00:00Z", "bugzilla" : { "description" : "kernel: nfsd: put dl_stid if fail to queue dl_recall", "id" : "2360241", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2360241" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-911", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnfsd: put dl_stid if fail to queue dl_recall\nBefore calling nfsd4_run_cb to queue dl_recall to the callback_wq, we\nincrement the reference count of dl_stid.\nWe expect that after the corresponding work_struct is processed, the\nreference count of dl_stid will be decremented through the callback\nfunction nfsd4_cb_recall_release.\nHowever, if the call to nfsd4_run_cb fails, the incremented reference\ncount of dl_stid will not be decremented correspondingly, leading to the\nfollowing nfs4_stid leak:\nunreferenced object 0xffff88812067b578 (size 344):\ncomm \"nfsd\", pid 2761, jiffies 4295044002 (age 5541.241s)\nhex dump (first 32 bytes):\n01 00 00 00 6b 6b 6b 6b b8 02 c0 e2 81 88 ff ff ....kkkk........\n00 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 ad 4e ad de .kkkkkkk.....N..\nbacktrace:\nkmem_cache_alloc+0x4b9/0x700\nnfsd4_process_open1+0x34/0x300\nnfsd4_open+0x2d1/0x9d0\nnfsd4_proc_compound+0x7a2/0xe30\nnfsd_dispatch+0x241/0x3e0\nsvc_process_common+0x5d3/0xcc0\nsvc_process+0x2a3/0x320\nnfsd+0x180/0x2e0\nkthread+0x199/0x1d0\nret_from_fork+0x30/0x50\nret_from_fork_asm+0x1b/0x30\nunreferenced object 0xffff8881499f4d28 (size 368):\ncomm \"nfsd\", pid 2761, jiffies 4295044005 (age 5541.239s)\nhex dump (first 32 bytes):\n01 00 00 00 00 00 00 00 30 4d 9f 49 81 88 ff ff ........0M.I....\n30 4d 9f 49 81 88 ff ff 20 00 00 00 01 00 00 00 0M.I.... .......\nbacktrace:\nkmem_cache_alloc+0x4b9/0x700\nnfs4_alloc_stid+0x29/0x210\nalloc_init_deleg+0x92/0x2e0\nnfs4_set_delegation+0x284/0xc00\nnfs4_open_delegation+0x216/0x3f0\nnfsd4_process_open2+0x2b3/0xee0\nnfsd4_open+0x770/0x9d0\nnfsd4_proc_compound+0x7a2/0xe30\nnfsd_dispatch+0x241/0x3e0\nsvc_process_common+0x5d3/0xcc0\nsvc_process+0x2a3/0x320\nnfsd+0x180/0x2e0\nkthread+0x199/0x1d0\nret_from_fork+0x30/0x50\nret_from_fork_asm+0x1b/0x30\nFix it by checking the result of nfsd4_run_cb and call nfs4_put_stid if\nfail to queue dl_recall." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:20095", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "kernel-0:6.12.0-124.8.1.el10_1" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-22025\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-22025\nhttps://lore.kernel.org/linux-cve-announce/2025041654-CVE-2025-22025-41c4@gregkh/T" ], "name" : "CVE-2025-22025", "csaw" : false }