CVE-2025-40007
Description
In the Linux kernel, the following vulnerability has been resolved:
netfs: fix reference leak
Commit 20d72b00ca81 ("netfs: Fix the request's work item to not require a ref") modified netfs_alloc_request() to initialize the reference counter to 2 instead of 1. The rationale was that the requet's "work" would release the second reference after completion (via netfs_{read,write}_collection_worker()). That works most of the time if all goes well.
However, it leaks this additional reference if the request is released before the I/O operation has been submitted: the error code path only decrements the reference counter once and the work item will never be queued because there will never be a completion.
This has caused outages of our whole server cluster today because tasks were blocked in netfs_wait_for_outstanding_io(), leading to deadlocks in Ceph (another bug that I will address soon in another patch). This was caused by a netfs_pgpriv2_begin_copy_to_cache() call which failed in fscache_begin_write_operation(). The leaked netfs_io_request was never completed, leaving netfs_inode.io_count with a positive value forever.
All of this is super-fragile code. Finding out which code paths will lead to an eventual completion and which do not is hard to see:
- Some functions like netfs_create_write_req() allocate a request, but will never submit any I/O.
- netfs_unbuffered_read_iter_locked() calls netfs_unbuffered_read() and then netfs_put_request(); however, netfs_unbuffered_read() can also fail early before submitting the I/O request, therefore another netfs_put_request() call must be added there.
A rule of thumb is that functions that return a netfs_io_request do not submit I/O, and all of their callers must be checked.
For my taste, the whole netfs code needs an overhaul to make reference counting easier to understand and less fragile & obscure. But to fix this bug here and now and produce a patch that is adequate for a stable backport, I tried a minimal approach that quickly frees the request object upon early failure.
I decided against adding a second netfs_put_request() each time because that would cause code duplication which obscures the code further. Instead, I added the function netfs_put_failed_request() which frees such a failed request synchronously under the assumption that the reference count is exactly 2 (as initially set by netfs_alloc_request() and never touched), verified by a WARN_ON_ONCE(). It then deinitializes the request object (without going through the "cleanup_work" indirection) and frees the allocation (with RCU protection to protect against concurrent access by netfs_requests_seq_start()).
All code paths that fail early have been changed to call netfs_put_failed_request() instead of netfs_put_request(). Additionally, I have added a netfs_put_request() call to netfs_unbuffered_read() as explained above because the netfs_put_failed_request() approach does not work there.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reference leak in Linux kernel's netfs subsystem can cause deadlocks in Ceph and other filesystems when I/O requests are released before submission.
Vulnerability
Overview
CVE-2025-40007 is a reference leak vulnerability in the Linux kernel's netfs subsystem. The issue was introduced by commit 20d72b00ca81, which modified netfs_alloc_request() to initialize the reference counter to 2 instead of 1, expecting the request's work item to release the second reference after I/O completion. However, if the request is released before I/O is submitted (e.gsubmitted (e.g., due to an error), the additional reference is never decremented, causing the request to remain in an incomplete state [1].
Exploitation and
Attack Surface
An attacker can trigger this vulnerability by causing a netfs I/O operation to fail early, such as through a failed fscache_begin_write_operation() call in netfs_pgpriv2_begin_copy_to_cache(). No special privileges are required beyond the ability to initiate netfs I/O operations, which may be available to unprivileged users depending on the filesystem configuration. The leaked reference prevents the netfs_io_request from being completed, leaving netfs_inode.io_count permanently positive [1].
Impact
A successful exploit leads to a deadlock in netfs_wait_for_outstanding_io(), blocking tasks indefinitely. This has caused outages in server clusters using Ceph, as the leaked request prevents the I/O completion counter from reaching zero. The vulnerability can also affect other filesystems relying on netfs, such as AFS and NFS [1].
Mitigation
The fix is included in Linux kernel stable updates. The patch (commit 8df142e93098b45) takes a minimal approach to free the request early when I/O is not submitted, preventing the reference leak. Users should update their kernel to a version containing this fix. No workaround is available [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: >= 6.10 (commit 20d72b00ca81) until fix
Patches
28df142e930984d428dca252cVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.