Bug 2360925 (CVE-2025-39688) - CVE-2025-39688 kernel: nfsd: allow SC_STATUS_FREEABLE when searching via nfs4_lookup_stateid()
Summary: CVE-2025-39688 kernel: nfsd: allow SC_STATUS_FREEABLE when searching via nfs4...
Keywords:
Status: NEW
Alias: CVE-2025-39688
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-04-18 08:01 UTC by OSIDB Bzimport
Modified: 2025-04-18 13:42 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-04-18 08:01:30 UTC 
In the Linux kernel, the following vulnerability has been resolved:

nfsd: allow SC_STATUS_FREEABLE when searching via nfs4_lookup_stateid()

The pynfs DELEG8 test fails when run against nfsd. It acquires a
delegation and then lets the lease time out. It then tries to use the
deleg stateid and expects to see NFS4ERR_DELEG_REVOKED, but it gets
bad NFS4ERR_BAD_STATEID instead.

When a delegation is revoked, it's initially marked with
SC_STATUS_REVOKED, or SC_STATUS_ADMIN_REVOKED and later, it's marked
with the SC_STATUS_FREEABLE flag, which denotes that it is waiting for
s FREE_STATEID call.

nfs4_lookup_stateid() accepts a statusmask that includes the status
flags that a found stateid is allowed to have. Currently, that mask
never includes SC_STATUS_FREEABLE, which means that revoked delegations
are (almost) never found.

Add SC_STATUS_FREEABLE to the always-allowed status flags, and remove it
from nfsd4_delegreturn() since it's now always implied.
Comment 1 Avinash Hanwate 2025-04-18 13:37:12 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025041819-CVE-2025-39688-80f1@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.