CVE-2025-40007: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-40007 is a reference leak vulnerability discovered in the Linux kernel's netfs subsystem. The issue was disclosed on October 20, 2025, affecting the netfsallocrequest() function which incorrectly initializes the reference counter to 2 instead of 1 (NVD, Debian Tracker).

The vulnerability stems from a modification in netfsallocrequest() that changed the initialization of the reference counter from 1 to 2. While the second reference was intended to be released by the request's work item after completion via netfs{read,write}collection_worker(), it creates a leak when the request is released before I/O operation submission. In such cases, the error code path only decrements the reference counter once, and the work item never gets queued due to lack of completion (NVD).

The reference leak has caused significant operational issues, including complete server cluster outages due to tasks being blocked in netfswaitforoutstandingio(), which led to deadlocks in Ceph. The issue specifically manifests when netfspgpriv2begincopytocache() calls fail in fscachebeginwriteoperation(), resulting in leaked netfsiorequest objects and permanently positive netfsinode.iocount values (NVD).

A fix has been implemented that introduces a new function netfsputfailedrequest() which handles failed requests synchronously. This function assumes a reference count of exactly 2 and deinitializes the request object directly. Additionally, a netfsputrequest() call has been added to netfsunbuffered_read(). The fix has been incorporated into various Linux distributions, with patches available for affected versions (Debian Tracker).