CVE-2025-38338
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38338
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38338.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38338
- Downstream
- Related
- Published
- 2025-07-10T08:15:09Z
- Modified
- 2025-10-18T04:31:06.588495Z
- Summary
- fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
fs/nfs/read: fix double-unlock bug in nfsreturnempty_folio()
Sometimes, when a file was read while it was being truncated by another NFS client, the kernel could deadlock because folio_unlock() was called twice, and the second call would XOR back the
PG_lockedflag.Most of the time (depending on the timing of the truncation), nobody notices the problem because folio_unlock() gets called three times, which flips
PG_lockedback off:- vfsread, nfsreadfolio, ... nfsreadaddfolio, nfsreturnempty_folio
- vfsread, nfsreadfolio, ... netfsreadcollection, netfsunlockabandonedread_pages
- vfsread, ... nfsdoreadfolio, nfsreadaddfolio, nfsreturnemptyfolio
The problem is that nfsreadaddfolio() is not supposed to unlock the folio if fscache is enabled, and a nfsnetfsfoliounlock() check is missing in nfsreturnempty_folio().
Rarely this leads to a warning in netfsreadcollection():
------------[ cut here ]------------ R=0000031c: folio 10 is not locked WARNING: CPU: 0 PID: 29 at fs/netfs/readcollect.c:133 netfsreadcollection+0x7c0/0xf00 [...] Workqueue: eventsunbound netfsreadcollectionworker RIP: 0010:netfsreadcollection+0x7c0/0xf00 [...] Call Trace: <TASK> netfsreadcollectionworker+0x67/0x80 processonework+0x12e/0x2c0 worker_thread+0x295/0x3a0
Most of the time, however, processes just get stuck forever in foliowaitbit_common(), waiting for
PG_lockedto disappear, which never happens because nobody is really holding the folio lock. - References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/14f5549ad163be2c018abc1bb38370fff617a243
- https://git.kernel.org/stable/c/1e93b61d3eaa14bfebcc2716ac09d43f3845d420
- https://git.kernel.org/stable/c/4c10fa44bc5f700e2ea21de2fbae520ba21f19d9
- https://git.kernel.org/stable/c/5bf0b9eeb0174686f22c2e5b8fb9f47ad25da6f5
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced000dbe0bec058cbf2ca9e156e4a5584f5158b0f9Fixed14f5549ad163be2c018abc1bb38370fff617a243
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced000dbe0bec058cbf2ca9e156e4a5584f5158b0f9Fixed5bf0b9eeb0174686f22c2e5b8fb9f47ad25da6f5
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced000dbe0bec058cbf2ca9e156e4a5584f5158b0f9Fixed1e93b61d3eaa14bfebcc2716ac09d43f3845d420
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced000dbe0bec058cbf2ca9e156e4a5584f5158b0f9Fixed4c10fa44bc5f700e2ea21de2fbae520ba21f19d9