CVE-2025-37871
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
nfsd: decrease sc_count directly if fail to queue dl_recall
A deadlock warning occurred when invoking nfs4_put_stid following a failed dl_recall queue operation: T1 T2 nfs4_laundromat nfs4_get_client_reaplist nfs4_anylock_blockers __break_lease spin_lock // ctx->flc_lock spin_lock // clp->cl_lock nfs4_lockowner_has_blockers locks_owner_has_blockers spin_lock // flctx->flc_lock nfsd_break_deleg_cb nfsd_break_one_deleg nfs4_put_stid refcount_dec_and_lock spin_lock // clp->cl_lock
When a file is opened, an nfs4_delegation is allocated with sc_count initialized to 1, and the file_lease holds a reference to the delegation. The file_lease is then associated with the file through kernel_setlease.
The disassociation is performed in nfsd4_delegreturn via the following call chain: nfsd4_delegreturn –> destroy_delegation –> destroy_unhashed_deleg –> nfs4_unlock_deleg_lease –> kernel_setlease –> generic_delete_lease The corresponding sc_count reference will be released after this disassociation.
Since nfsd_break_one_deleg executes while holding the flc_lock, the disassociation process becomes blocked when attempting to acquire flc_lock in generic_delete_lease. This means:
- sc_count in nfsd_break_one_deleg will not be decremented to 0;
- The nfs4_put_stid called by nfsd_break_one_deleg will not attempt to acquire cl_lock;
- Consequently, no deadlock condition is created.
Given that sc_count in nfsd_break_one_deleg remains non-zero, we can safely perform refcount_dec on sc_count directly. This approach effectively avoids triggering deadlock warnings.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | b874cdef4e67e5150e07eff0eae1cbb21fb92da1 < b9bbe8f9d5663311d06667ce36d6ed255ead1a26 | affected |
| Linux | Linux | cdb796137c57e68ca34518d53be53b679351eb86 < a70832d3555987035fc430ccd703acd89393eadb | affected |
| Linux | Linux | d96587cc93ec369031bcd7658c6adc719873c9fd < ba903539fff745d592d893c71b30e5e268a95413 | affected |
| Linux | Linux | 9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1 < 7d192e27a431026c58d60edf66dc6cd98d0c01fc | affected |
| Linux | Linux | cad3479b63661a399c9df1d0b759e1806e2df3c8 < a7fce086f6ca84db409b9d58493ea77c1978897c | affected |
| Linux | Linux | 133f5e2a37ce08c82d24e8fba65e0a81deae4609 < 14985d66b9b99c12995dd99d1c6c8dec4114c2a5 | affected |
| Linux | Linux | 230ca758453c63bd38e4d9f4a21db698f7abada8 < a1d14d931bf700c1025db8c46d6731aa5cf440f9 | affected |
| Linux | Linux | 63b91c8ff4589f5263873b24c052447a28e10ef7 | affected |
| Linux | Linux | 6.13.11 < 6.14 | affected |
| Linux | Linux | 5.10.236 < 5.10.237 | affected |
| Linux | Linux | 5.15.180 < 5.15.181 | affected |
| Linux | Linux | 6.1.134 < 6.1.135 | affected |
| Linux | Linux | 6.6.87 < 6.6.88 | affected |
| Linux | Linux | 6.12.23 < 6.12.25 | affected |
| Linux | Linux | 6.14.2 < 6.14.4 | affected |
Weaknesses
ADP Enrichment
CVE Program Container
Additional References
- https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
- https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
References
- https://git.kernel.org/stable/c/b9bbe8f9d5663311d06667ce36d6ed255ead1a26
- https://git.kernel.org/stable/c/a70832d3555987035fc430ccd703acd89393eadb
- https://git.kernel.org/stable/c/ba903539fff745d592d893c71b30e5e268a95413
- https://git.kernel.org/stable/c/7d192e27a431026c58d60edf66dc6cd98d0c01fc
- https://git.kernel.org/stable/c/a7fce086f6ca84db409b9d58493ea77c1978897c
- https://git.kernel.org/stable/c/14985d66b9b99c12995dd99d1c6c8dec4114c2a5
- https://git.kernel.org/stable/c/a1d14d931bf700c1025db8c46d6731aa5cf440f9
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.