{"id":"CVE-2025-37871","summary":"nfsd: decrease sc_count directly if fail to queue dl_recall","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: decrease sc_count directly if fail to queue dl_recall\n\nA deadlock warning occurred when invoking nfs4_put_stid following a failed\ndl_recall queue operation:\n            T1                            T2\n                                nfs4_laundromat\n                                 nfs4_get_client_reaplist\n                                  nfs4_anylock_blockers\n__break_lease\n spin_lock // ctx-\u003eflc_lock\n                                   spin_lock // clp-\u003ecl_lock\n                                   nfs4_lockowner_has_blockers\n                                    locks_owner_has_blockers\n                                     spin_lock // flctx-\u003eflc_lock\n nfsd_break_deleg_cb\n  nfsd_break_one_deleg\n   nfs4_put_stid\n    refcount_dec_and_lock\n     spin_lock // clp-\u003ecl_lock\n\nWhen a file is opened, an nfs4_delegation is allocated with sc_count\ninitialized to 1, and the file_lease holds a reference to the delegation.\nThe file_lease is then associated with the file through kernel_setlease.\n\nThe disassociation is performed in nfsd4_delegreturn via the following\ncall chain:\nnfsd4_delegreturn --\u003e destroy_delegation --\u003e destroy_unhashed_deleg --\u003e\nnfs4_unlock_deleg_lease --\u003e kernel_setlease --\u003e generic_delete_lease\nThe corresponding sc_count reference will be released after this\ndisassociation.\n\nSince nfsd_break_one_deleg executes while holding the flc_lock, the\ndisassociation process becomes blocked when attempting to acquire flc_lock\nin generic_delete_lease. This means:\n1) sc_count in nfsd_break_one_deleg will not be decremented to 0;\n2) The nfs4_put_stid called by nfsd_break_one_deleg will not attempt to\nacquire cl_lock;\n3) Consequently, no deadlock condition is created.\n\nGiven that sc_count in nfsd_break_one_deleg remains non-zero, we can\nsafely perform refcount_dec on sc_count directly. This approach\neffectively avoids triggering deadlock warnings.","modified":"2026-04-02T12:47:34.525563Z","published":"2025-05-09T06:43:59.720Z","related":["SUSE-SU-2025:01964-1","SUSE-SU-2025:01965-1","SUSE-SU-2025:01983-1","SUSE-SU-2025:02000-1","SUSE-SU-2025:02254-1","SUSE-SU-2025:02307-1","SUSE-SU-2025:02333-1","SUSE-SU-2025:02923-1","SUSE-SU-2025:20408-1","SUSE-SU-2025:20413-1","SUSE-SU-2025:20419-1","SUSE-SU-2025:20421-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37871.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/14985d66b9b99c12995dd99d1c6c8dec4114c2a5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7d192e27a431026c58d60edf66dc6cd98d0c01fc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a1d14d931bf700c1025db8c46d6731aa5cf440f9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a70832d3555987035fc430ccd703acd89393eadb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a7fce086f6ca84db409b9d58493ea77c1978897c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b9bbe8f9d5663311d06667ce36d6ed255ead1a26"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ba903539fff745d592d893c71b30e5e268a95413"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37871.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37871"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b874cdef4e67e5150e07eff0eae1cbb21fb92da1"},{"fixed":"b9bbe8f9d5663311d06667ce36d6ed255ead1a26"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"cdb796137c57e68ca34518d53be53b679351eb86"},{"fixed":"a70832d3555987035fc430ccd703acd89393eadb"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d96587cc93ec369031bcd7658c6adc719873c9fd"},{"fixed":"ba903539fff745d592d893c71b30e5e268a95413"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1"},{"fixed":"7d192e27a431026c58d60edf66dc6cd98d0c01fc"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"cad3479b63661a399c9df1d0b759e1806e2df3c8"},{"fixed":"a7fce086f6ca84db409b9d58493ea77c1978897c"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"133f5e2a37ce08c82d24e8fba65e0a81deae4609"},{"fixed":"14985d66b9b99c12995dd99d1c6c8dec4114c2a5"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"230ca758453c63bd38e4d9f4a21db698f7abada8"},{"fixed":"a1d14d931bf700c1025db8c46d6731aa5cf440f9"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"63b91c8ff4589f5263873b24c052447a28e10ef7"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-37871.json"}}],"schema_version":"1.7.5"}