CVE-2025-39723
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-39723
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-39723.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-39723
- Downstream
- Published
- 2025-09-05T17:21:31Z
- Modified
- 2025-10-22T15:25:11.748521Z
- Summary
- netfs: Fix unbuffered write error handling
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
netfs: Fix unbuffered write error handling
If all the subrequests in an unbuffered write stream fail, the subrequest collector doesn't update the stream->transferred value and it retains its initial LONGMAX value. Unfortunately, if all active streams fail, then we take the smallest value of { LONGMAX, LONGMAX, ... } as the value to set in wreq->transferred - which is then returned from ->writeiter().
LONG_MAX was chosen as the initial value so that all the streams can be quickly assessed by taking the smallest value of all stream->transferred - but this only works if we've set any of them.
Fix this by adding a flag to indicate whether the value in stream->transferred is valid and checking that when we integrate the values. stream->transferred can then be initialised to zero.
This was found by running the generic/750 xfstest against cifs with cache=none. It splices data to the target file. Once (if) it has used up all the available scratch space, the writes start failing with ENOSPC. This causes ->writeiter() to fail. However, it was returning wreq->transferred, i.e. LONGMAX, rather than an error (because it thought the amount transferred was non-zero) and iterfilesplice_write() would then try to clean up that amount of pipe bufferage - leading to an oops when it overran. The kernel log showed:
CIFS: VFS: Send error in write = -28followed by:
BUG: kernel NULL pointer dereference, address: 0000000000000008with:
RIP: 0010:iter_file_splice_write+0x3a4/0x520 do_splice+0x197/0x4e0or:
RIP: 0010:pipe_buf_release (include/linux/pipe_fs_i.h:282) iter_file_splice_write (fs/splice.c:755)Also put a warning check into splice to announce if ->write_iter() returned that it had written more than it was asked to.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced288ace2f57c9d06dd2e42bd80d03747d879a4068Fixedf08c80af3c9a9849cd178b4843b7c01d103506a1
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced288ace2f57c9d06dd2e42bd80d03747d879a4068Fixed387164a2b97e1f5404c6d0049a7409bac7d2bc5b
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced288ace2f57c9d06dd2e42bd80d03747d879a4068Fixeda3de58b12ce074ec05b8741fa28d62ccb1070468
Affected versions
v6.*
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.36
v6.12.37
v6.12.38
v6.12.39
v6.12.4
v6.12.40
v6.12.41
v6.12.42
v6.12.43
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.16
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.16-rc6
v6.16-rc7
v6.16.1
v6.16.2
v6.16.3
v6.17-rc1
v6.9
v6.9-rc7
Database specific
vanir_signatures
[
{
"id": "CVE-2025-39723-01f66428",
"target": {
"file": "include/linux/netfs.h"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f08c80af3c9a9849cd178b4843b7c01d103506a1",
"deprecated": false,
"digest": {
"line_hashes": [
"226766369314391255647736390907907038378",
"201814266883012147815471968141440801917",
"94009567527733196894840389361265671126",
"234226933144242248523061056146198854610"
],
"threshold": 0.9
},
"signature_type": "Line"
},
{
"id": "CVE-2025-39723-115407bb",
"target": {
"function": "netfs_create_write_req",
"file": "fs/netfs/write_issue.c"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f08c80af3c9a9849cd178b4843b7c01d103506a1",
"deprecated": false,
"digest": {
"length": 1385.0,
"function_hash": "321122544111048299139721582892764928108"
},
"signature_type": "Function"
},
{
"id": "CVE-2025-39723-3501fae6",
"target": {
"function": "netfs_collect_write_results",
"file": "fs/netfs/write_collect.c"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f08c80af3c9a9849cd178b4843b7c01d103506a1",
"deprecated": false,
"digest": {
"length": 2994.0,
"function_hash": "297264575870148413603643897009767229680"
},
"signature_type": "Function"
},
{
"id": "CVE-2025-39723-3602f1ff",
"target": {
"function": "iter_file_splice_write",
"file": "fs/splice.c"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f08c80af3c9a9849cd178b4843b7c01d103506a1",
"deprecated": false,
"digest": {
"length": 2091.0,
"function_hash": "223100139984072584010004198327154015425"
},
"signature_type": "Function"
},
{
"id": "CVE-2025-39723-3c20adf4",
"target": {
"file": "fs/splice.c"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f08c80af3c9a9849cd178b4843b7c01d103506a1",
"deprecated": false,
"digest": {
"line_hashes": [
"253216401745127943113320284838077317799",
"289221957837378067273791102161020390062",
"155414123535814216841846178154747523094",
"271479483035430603748544088771755955668"
],
"threshold": 0.9
},
"signature_type": "Line"
},
{
"id": "CVE-2025-39723-4bbb4346",
"target": {
"function": "netfs_collect_read_results",
"file": "fs/netfs/read_collect.c"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a3de58b12ce074ec05b8741fa28d62ccb1070468",
"deprecated": false,
"digest": {
"length": 3379.0,
"function_hash": "84603139407353849779122054199393929903"
},
"signature_type": "Function"
},
{
"id": "CVE-2025-39723-575a4104",
"target": {
"file": "fs/splice.c"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a3de58b12ce074ec05b8741fa28d62ccb1070468",
"deprecated": false,
"digest": {
"line_hashes": [
"253216401745127943113320284838077317799",
"289221957837378067273791102161020390062",
"155414123535814216841846178154747523094",
"271479483035430603748544088771755955668"
],
"threshold": 0.9
},
"signature_type": "Line"
},
{
"id": "CVE-2025-39723-64618418",
"target": {
"function": "netfs_collect_write_results",
"file": "fs/netfs/write_collect.c"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a3de58b12ce074ec05b8741fa28d62ccb1070468",
"deprecated": false,
"digest": {
"length": 2837.0,
"function_hash": "164251429052469539918377973241494092738"
},
"signature_type": "Function"
},
{
"id": "CVE-2025-39723-710b510d",
"target": {
"function": "netfs_write_collection",
"file": "fs/netfs/write_collect.c"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a3de58b12ce074ec05b8741fa28d62ccb1070468",
"deprecated": false,
"digest": {
"length": 1684.0,
"function_hash": "16969479975651770148986865128969180996"
},
"signature_type": "Function"
},
{
"id": "CVE-2025-39723-7a2e627f",
"target": {
"function": "netfs_create_write_req",
"file": "fs/netfs/write_issue.c"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a3de58b12ce074ec05b8741fa28d62ccb1070468",
"deprecated": false,
"digest": {
"length": 1619.0,
"function_hash": "336849472327566640831190408860157995734"
},
"signature_type": "Function"
},
{
"id": "CVE-2025-39723-b70cdb37",
"target": {
"file": "fs/netfs/write_collect.c"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f08c80af3c9a9849cd178b4843b7c01d103506a1",
"deprecated": false,
"digest": {
"line_hashes": [
"232944459237744227565763782786389859608",
"206695699649759454466276856720958629340",
"115767594050205224383744204051782154259",
"328212328478059209418055497635774157273",
"99320184609491771914954937020035390770",
"57723862412509708099035402382924713417",
"299077306412950398593920143402524485941",
"310495439950693404011730595093201572180",
"74727358458785713184675028050734047025",
"283349921681519592728123362851266948028",
"137389553900870354806676089335541629454",
"143357229982603103225111445079814296477",
"307684423117645086964158975391809565467",
"266366266018554439638159640776674876722",
"85185406593913803361942286168675131081"
],
"threshold": 0.9
},
"signature_type": "Line"
},
{
"id": "CVE-2025-39723-ba13a62a",
"target": {
"function": "netfs_write_collection_worker",
"file": "fs/netfs/write_collect.c"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f08c80af3c9a9849cd178b4843b7c01d103506a1",
"deprecated": false,
"digest": {
"length": 1939.0,
"function_hash": "251389434831643256915410815859955268069"
},
"signature_type": "Function"
},
{
"id": "CVE-2025-39723-c15d7638",
"target": {
"file": "fs/netfs/write_collect.c"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a3de58b12ce074ec05b8741fa28d62ccb1070468",
"deprecated": false,
"digest": {
"line_hashes": [
"232944459237744227565763782786389859608",
"206695699649759454466276856720958629340",
"115767594050205224383744204051782154259",
"328212328478059209418055497635774157273",
"196053241724412282194114302766526949015",
"299760232211774354713902846902300562284",
"299077306412950398593920143402524485941",
"311782582007064364820371586609224657531",
"213356013228069039935853563609709146434",
"39977415509769179904296530791076863662",
"88070970837275425888085383652319771966",
"143357229982603103225111445079814296477",
"307684423117645086964158975391809565467",
"266366266018554439638159640776674876722",
"85185406593913803361942286168675131081"
],
"threshold": 0.9
},
"signature_type": "Line"
},
{
"id": "CVE-2025-39723-c2e7f130",
"target": {
"file": "fs/netfs/write_issue.c"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f08c80af3c9a9849cd178b4843b7c01d103506a1",
"deprecated": false,
"digest": {
"line_hashes": [
"222381586288127489139336114093205456267",
"161061623260853940612121554708582191146",
"168872238854313214445452442695675187622",
"329826576940532640895268692406599593515",
"319669698191984274278944752322520400769",
"305433251950345947466387256862937165033",
"309112615140760446751952990384736774892",
"228114948473520009606498851130286454653"
],
"threshold": 0.9
},
"signature_type": "Line"
},
{
"id": "CVE-2025-39723-cb55fe75",
"target": {
"file": "include/linux/netfs.h"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a3de58b12ce074ec05b8741fa28d62ccb1070468",
"deprecated": false,
"digest": {
"line_hashes": [
"226766369314391255647736390907907038378",
"201814266883012147815471968141440801917",
"94009567527733196894840389361265671126",
"234226933144242248523061056146198854610"
],
"threshold": 0.9
},
"signature_type": "Line"
},
{
"id": "CVE-2025-39723-d3e83836",
"target": {
"file": "fs/netfs/write_issue.c"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a3de58b12ce074ec05b8741fa28d62ccb1070468",
"deprecated": false,
"digest": {
"line_hashes": [
"222381586288127489139336114093205456267",
"161061623260853940612121554708582191146",
"168872238854313214445452442695675187622",
"329826576940532640895268692406599593515",
"319669698191984274278944752322520400769",
"305433251950345947466387256862937165033",
"309112615140760446751952990384736774892",
"228114948473520009606498851130286454653"
],
"threshold": 0.9
},
"signature_type": "Line"
},
{
"id": "CVE-2025-39723-d63a7d8d",
"target": {
"file": "fs/netfs/read_collect.c"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a3de58b12ce074ec05b8741fa28d62ccb1070468",
"deprecated": false,
"digest": {
"line_hashes": [
"56735984242752830940861348096506500572",
"328545942273880946473312646489636781510",
"25899437093528194972975697182175384811",
"295471887042968585329309490538203464570",
"110555637689613063404420337586693109984"
],
"threshold": 0.9
},
"signature_type": "Line"
},
{
"id": "CVE-2025-39723-ebb47a46",
"target": {
"function": "iter_file_splice_write",
"file": "fs/splice.c"
},
"signature_version": "v1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a3de58b12ce074ec05b8741fa28d62ccb1070468",
"deprecated": false,
"digest": {
"length": 2044.0,
"function_hash": "11061677718693898979836610008464904179"
},
"signature_type": "Function"
}
]