CVE-2025-71090

In the Linux kernel, the following vulnerability has been resolved:

nfsd: fix nfsdfile reference leak in nfsd4addrdaccessto_wrdeleg()

nfsd4addrdaccesstowrdeleg() unconditionally overwrites fp->fifds[ORDONLY] with a newly acquired nfsdfile. However, if the client already has a SHAREACCESS_READ open from a previous OPEN operation, this action overwrites the existing pointer without releasing its reference, orphaning the previous reference.

Additionally, the function originally stored the same nfsdfile pointer in both fp->fifds[ORDONLY] and fp->firdelegfile with only a single reference. When putdelegfile() runs, it clears firdelegfile and calls nfs4fileputaccess() to release the file.

However, nfs4fileputaccess() only releases fifds[ORDONLY] when the fiaccess[ORDONLY] counter drops to zero. If another READ open exists on the file, the counter remains elevated and the nfsdfile reference from the delegation is never released. This potentially causes open conflicts on that file.

Then, on server shutdown, these leaks cause _nfsdfilecachepurge() to encounter files with an elevated reference count that cannot be cleaned up, ultimately triggering a BUG() in kmemcachedestroy() because there are still nfsd_file objects allocated in that cache.