{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38338","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:24.005Z","datePublished":"2025-07-10T08:15:09.022Z","dateUpdated":"2026-05-11T21:26:03.883Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:26:03.883Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/nfs/read: fix double-unlock bug in nfs_return_empty_folio()\n\nSometimes, when a file was read while it was being truncated by\nanother NFS client, the kernel could deadlock because folio_unlock()\nwas called twice, and the second call would XOR back the `PG_locked`\nflag.\n\nMost of the time (depending on the timing of the truncation), nobody\nnotices the problem because folio_unlock() gets called three times,\nwhich flips `PG_locked` back off:\n\n 1. vfs_read, nfs_read_folio, ... nfs_read_add_folio,\n    nfs_return_empty_folio\n 2. vfs_read, nfs_read_folio, ... netfs_read_collection,\n    netfs_unlock_abandoned_read_pages\n 3. vfs_read, ... nfs_do_read_folio, nfs_read_add_folio,\n    nfs_return_empty_folio\n\nThe problem is that nfs_read_add_folio() is not supposed to unlock the\nfolio if fscache is enabled, and a nfs_netfs_folio_unlock() check is\nmissing in nfs_return_empty_folio().\n\nRarely this leads to a warning in netfs_read_collection():\n\n ------------[ cut here ]------------\n R=0000031c: folio 10 is not locked\n WARNING: CPU: 0 PID: 29 at fs/netfs/read_collect.c:133 netfs_read_collection+0x7c0/0xf00\n [...]\n Workqueue: events_unbound netfs_read_collection_worker\n RIP: 0010:netfs_read_collection+0x7c0/0xf00\n [...]\n Call Trace:\n  <TASK>\n  netfs_read_collection_worker+0x67/0x80\n  process_one_work+0x12e/0x2c0\n  worker_thread+0x295/0x3a0\n\nMost of the time, however, processes just get stuck forever in\nfolio_wait_bit_common(), waiting for `PG_locked` to disappear, which\nnever happens because nobody is really holding the folio lock."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/nfs/read.c"],"versions":[{"version":"000dbe0bec058cbf2ca9e156e4a5584f5158b0f9","lessThan":"14f5549ad163be2c018abc1bb38370fff617a243","status":"affected","versionType":"git"},{"version":"000dbe0bec058cbf2ca9e156e4a5584f5158b0f9","lessThan":"5bf0b9eeb0174686f22c2e5b8fb9f47ad25da6f5","status":"affected","versionType":"git"},{"version":"000dbe0bec058cbf2ca9e156e4a5584f5158b0f9","lessThan":"1e93b61d3eaa14bfebcc2716ac09d43f3845d420","status":"affected","versionType":"git"},{"version":"000dbe0bec058cbf2ca9e156e4a5584f5158b0f9","lessThan":"4c10fa44bc5f700e2ea21de2fbae520ba21f19d9","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/nfs/read.c"],"versions":[{"version":"6.4","status":"affected"},{"version":"0","lessThan":"6.4","status":"unaffected","versionType":"semver"},{"version":"6.6.95","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.35","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.4","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.6.95"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.12.35"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.15.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.16"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/14f5549ad163be2c018abc1bb38370fff617a243"},{"url":"https://git.kernel.org/stable/c/5bf0b9eeb0174686f22c2e5b8fb9f47ad25da6f5"},{"url":"https://git.kernel.org/stable/c/1e93b61d3eaa14bfebcc2716ac09d43f3845d420"},{"url":"https://git.kernel.org/stable/c/4c10fa44bc5f700e2ea21de2fbae520ba21f19d9"}],"title":"fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio()","x_generator":{"engine":"bippy-1.2.0"}}}}