We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-37871

nfsd: decrease sc_count directly if fail to queue dl_recall



Description

In the Linux kernel, the following vulnerability has been resolved: nfsd: decrease sc_count directly if fail to queue dl_recall A deadlock warning occurred when invoking nfs4_put_stid following a failed dl_recall queue operation: T1 T2 nfs4_laundromat nfs4_get_client_reaplist nfs4_anylock_blockers __break_lease spin_lock // ctx->flc_lock spin_lock // clp->cl_lock nfs4_lockowner_has_blockers locks_owner_has_blockers spin_lock // flctx->flc_lock nfsd_break_deleg_cb nfsd_break_one_deleg nfs4_put_stid refcount_dec_and_lock spin_lock // clp->cl_lock When a file is opened, an nfs4_delegation is allocated with sc_count initialized to 1, and the file_lease holds a reference to the delegation. The file_lease is then associated with the file through kernel_setlease. The disassociation is performed in nfsd4_delegreturn via the following call chain: nfsd4_delegreturn --> destroy_delegation --> destroy_unhashed_deleg --> nfs4_unlock_deleg_lease --> kernel_setlease --> generic_delete_lease The corresponding sc_count reference will be released after this disassociation. Since nfsd_break_one_deleg executes while holding the flc_lock, the disassociation process becomes blocked when attempting to acquire flc_lock in generic_delete_lease. This means: 1) sc_count in nfsd_break_one_deleg will not be decremented to 0; 2) The nfs4_put_stid called by nfsd_break_one_deleg will not attempt to acquire cl_lock; 3) Consequently, no deadlock condition is created. Given that sc_count in nfsd_break_one_deleg remains non-zero, we can safely perform refcount_dec on sc_count directly. This approach effectively avoids triggering deadlock warnings.

Reserved 2025-04-16 | Published 2025-05-09 | Updated 2025-05-26 | Assigner Linux

Product status

Default status
unaffected

b874cdef4e67e5150e07eff0eae1cbb21fb92da1 before b9bbe8f9d5663311d06667ce36d6ed255ead1a26
affected

cdb796137c57e68ca34518d53be53b679351eb86 before a70832d3555987035fc430ccd703acd89393eadb
affected

d96587cc93ec369031bcd7658c6adc719873c9fd before ba903539fff745d592d893c71b30e5e268a95413
affected

9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1 before 7d192e27a431026c58d60edf66dc6cd98d0c01fc
affected

cad3479b63661a399c9df1d0b759e1806e2df3c8 before a7fce086f6ca84db409b9d58493ea77c1978897c
affected

133f5e2a37ce08c82d24e8fba65e0a81deae4609 before 14985d66b9b99c12995dd99d1c6c8dec4114c2a5
affected

230ca758453c63bd38e4d9f4a21db698f7abada8 before a1d14d931bf700c1025db8c46d6731aa5cf440f9
affected

63b91c8ff4589f5263873b24c052447a28e10ef7
affected

Default status
unaffected

5.10.236 before 5.10.237
affected

5.15.180 before 5.15.181
affected

6.1.134 before 6.1.135
affected

6.6.87 before 6.6.88
affected

6.12.23 before 6.12.25
affected

6.14.2 before 6.14.4
affected

References

git.kernel.org/...c/b9bbe8f9d5663311d06667ce36d6ed255ead1a26

git.kernel.org/...c/a70832d3555987035fc430ccd703acd89393eadb

git.kernel.org/...c/ba903539fff745d592d893c71b30e5e268a95413

git.kernel.org/...c/7d192e27a431026c58d60edf66dc6cd98d0c01fc

git.kernel.org/...c/a7fce086f6ca84db409b9d58493ea77c1978897c

git.kernel.org/...c/14985d66b9b99c12995dd99d1c6c8dec4114c2a5

git.kernel.org/...c/a1d14d931bf700c1025db8c46d6731aa5cf440f9

cve.org (CVE-2025-37871)

nvd.nist.gov (CVE-2025-37871)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-37871

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.