[LTS 9.4] nfsd: don't ignore the return code of svc_proc_register() #564
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PlaidCat
requested review from
PlaidCat,
bmastbergen,
kerneltoast,
shreeya-patel98 and
thefossguy-ciq
PlaidCat
previously approved these changes
Sep 10, 2025
kerneltoast
requested changes
Sep 11, 2025
jira VULN-64896 cve CVE-2025-22026 commit-author Jeff Layton <[email protected]> commit 930b64c upstream-diff | nfsd underwent considerable architectural changes related to the exposition of network stats in the user space since `ciqlts9_4' branched off, which are assumed by the upstream fix 930b64c to be in place - see patches d98416c, 93483ac, 4b14885, e41ee44, 16fb980. This backport addresses the core of the issue without pulling in all of these changes, which is checking the value returned by `svc_proc_register'. Currently, nfsd_proc_stat_init() ignores the return value of svc_proc_register(). If the procfile creation fails, then the kernel will WARN when it tries to remove the entry later. Fix nfsd_proc_stat_init() to return the same type of pointer as svc_proc_register(), and fix up nfsd_net_init() to check that and fail the nfsd_net construction if it occurs. svc_proc_register() can fail if the dentry can't be allocated, or if an identical dentry already exists. The second case is pretty unlikely in the nfsd_net construction codepath, so if this happens, return -ENOMEM. Reported-by: [email protected] Closes: https://lore.kernel.org/linux-nfs/[email protected]/ Cc: [email protected] # v6.9 Signed-off-by: Jeff Layton <[email protected]> Signed-off-by: Chuck Lever <[email protected]> (cherry picked from commit 930b64c) Signed-off-by: Marcin Wcisło <[email protected]>
pvts-mat
force-pushed
the
ciqlts9_4-CVE-2025-22026
branch
from
3e4c5d5 to
3d32877
Compare
|
kselftests–ciqlts94-CVE-2025-22026–fix–run1.log Same results, except for Module loading: |
kerneltoast
approved these changes
Sep 18, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[LTS 9.4]
CVE-2025-22026
VULN-64896
Problem
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=930b64ca0c511521f0abdd1d57ce52b2a6e3476b
Affected: yes
The affected
nfsdmodule is enabled withCONFIG_NFSDwhich ismfor all config variantsThe return value of
svc_proc_register(…)function is clearly not being checked:kernel-src-tree/fs/nfsd/stats.c
Line 129 in 3713f88
Solution
Cherry-picking the mainline fix 930b64c is meaningless, as the code underwent considerable architectural changes related to the exposition of network stats in the user space since
ciqlts9_4branched off. Picking them as "cve-pre" would be impractical and risky, could also affect the/procinterface. It was chosen instead to apply a change equivalent to 930b64c in meaning but fittingciqlts9_4codebase. As a result it differs completely from the upstream.nfsd_stat_init(…)instead ofnfsd_proc_stat_init(…). It's logically the same function, but was renamed in 93483ac. Observe the evolution ofnfsd_stat_init(…)betweenciqlts9_4andkernel-mainlinefor the full context, with the last change coming from the upstream CVE-2025-22026 fix:kernel-src-tree/fs/nfsd/stats.c
Lines 121 to 132 in 3713f88
kernel-src-tree/fs/nfsd/stats.c
Lines 121 to 124 in 93483ac
kernel-src-tree/fs/nfsd/stats.c
Lines 118 to 123 in 16fb980
kernel-src-tree/fs/nfsd/stats.c
Lines 76 to 81 in 930b64c
intreturn value ofnfsd_stat_init(…)was left unchanged, unlike thevoid→struct proc_dir_entry *change in the upstream. The function in the older version already returns a status code so it could have been utilized. This nullified any changes to the header filefs/nfsd/stats.hfound in the upstream.-ENOMEMreturn code in case ofsvc_proc_register(…)call failure was retained, based on the justification given in the upstream fix which remained valid:nfsd_net_init(…)function offs/nfsd/nfsctl.cin casenfsd_proc_stat_init(…)failed: 930b64c#diff-540a099ea05e266ccb0e9fa515be1e018baf46cef98f0f169e509fa43e1b4878R2228-R2229In
ciqlts9_4this is not necessary, becausenfsd_stat_init(…)is not even used insidenfsd_net_init(…). Instead it's called ininit_nfsd()(and only there) in a way which already covers a jump to an appropriate cleanup routine whennfsd_stat_init(…)fails:kernel-src-tree/fs/nfsd/nfsctl.c
Lines 1578 to 1580 in 3713f88
As a result there are no changes to the
fs/nfsd/nfsctl.cfile, unlike in the upstream.kABI check: passed
Boot test: passed
boot-test.log
Kselftests: passed relative
Coverage
bpf(onlytest_lpm_map,test_lru_map,test_sock,test_verifier,test_cgroup_storage,test_tag,test_tcpnotify_user,test_sysctl),breakpoints(onlybreakpoint_test),capabilities,clone3,cpu-hotplug,cpufreq,drivers/dma-buf,drivers/net/bonding(all exceptbond_macvlan.sh),drivers/net/team,exec,filesystems/binderfs,filesystems/epoll,firmware,fpu,ftrace,futex,gpio,intel_pstate,iommu,ipc,ir,kcmp,kexec,kvm,landlock,lib,livepatch,membarrier,memfd,memory-hotplug,mincore,mount,mqueue,nci,net/forwarding(all exceptsch_red.sh,sch_ets.sh,sch_tbf_ets.sh,vxlan_bridge_1d_ipv6.sh,ip6gre_inner_v6_multipath.sh,mirror_gre_vlan_bridge_1q.sh,router_bridge_lag.sh,mirror_gre_bridge_1d_vlan.sh,bridge_igmp.sh,sch_tbf_root.sh,tc_police.sh,q_in_vni.sh,dual_vxlan_bridge.sh,ipip_hier_gre_keys.sh,gre_inner_v6_multipath.sh,sch_tbf_prio.sh,tc_actions.sh,router_bridge_1d_lag.sh),net/hsr,net/mptcp(all exceptuserspace_pm.sh,simult_flows.sh,mptcp_join.sh),net(all exceptreuseport_addr_any.sh,srv6_end_dt6_l3vpn_test.sh,srv6_end_flavors_test.sh,udpgro_fwd.sh,udpgso_bench.sh,fib_nexthops.sh,ip_defrag.sh,reuseaddr_conflict,srv6_end_dt46_l3vpn_test.sh,srv6_end_dt4_l3vpn_test.sh,gro.sh,xfrm_policy.sh,txtimestamp.sh),netfilter(all exceptnft_trans_stress.sh),nsfs,pid_namespace,pidfd,proc(all exceptproc-pid-vm,proc-uptime-001),pstore,ptrace,rlimits,rseq,seccomp,sgx,sigaltstack,size,splice,static_keys,syscall_user_dispatch,tc-testing,tdx,timens,timers,tmpfs,tpm2,tty,vDSO,x86,zramReference
kselftests–ciqlts9_4–run1.log
Patch
kselftests–ciqlts9_4-CVE-2025-22026–run1.log
kselftests–ciqlts9_4-CVE-2025-22026–run2.log
Comparison
The tests results between the reference and patched kernel are the same
Specific tests: passed
Considering that the change deals with module's initialization routine a simple loading of the
nfsdmodule constitutes a reasonable patch test, at least of the success branch.The nfsd statistics implemented by the modified file are available in
/proc/net/rpc/nfsd: