CVE-2025-37871

nfsd: decrease sc_count directly if fail to queue dl_recall

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

MITRE
TN

In the Linux kernel, the following vulnerability has been resolved: nfsd: decrease sc_count directly if fail to queue dl_recall A deadlock warning occurred when invoking nfs4_put_stid following a failed
dl_recall queue operation: T1 T2 nfs4_laundromat nfs4_get_client_reaplist nfs4_anylock_blockers
__break_lease spin_lock // ctx->flc_lock spin_lock // clp->cl_lock nfs4_lockowner_has_blockers locks_owner_has_blockers spin_lock // flctx->flc_lock nfsd_break_deleg_cb nfsd_break_one_deleg nfs4_put_stid refcount_dec_and_lock spin_lock // clp->cl_lock When a file is opened, an nfs4_delegation is allocated with sc_count
initialized to 1, and the file_lease holds a reference to the delegation.
The file_lease is then associated with the file through kernel_setlease. The disassociation is performed in nfsd4_delegreturn via the following
call chain:
nfsd4_delegreturn --> destroy_delegation --> destroy_unhashed_deleg -->
nfs4_unlock_deleg_lease --> kernel_setlease --> generic_delete_lease
The corresponding sc_count reference will be released after this
disassociation. Since nfsd_break_one_deleg executes while holding the flc_lock, the
disassociation process becomes blocked when attempting to acquire flc_lock
in generic_delete_lease. This means:
1) sc_count in nfsd_break_one_deleg will not be decremented to 0;
2) The nfs4_put_stid called by nfsd_break_one_deleg will not attempt to
acquire cl_lock;
3) Consequently, no deadlock condition is created. Given that sc_count in nfsd_break_one_deleg remains non-zero, we can
safely perform refcount_dec on sc_count directly. This approach
effectively avoids triggering deadlock warnings.

In the Linux kernel, the following vulnerability has been resolved: nfsd: decrease sc_count directly if fail to queue dl_recall A deadlock warning occurred when invoking nfs4_put_stid following a failed dl_recall queue operation: T1 T2 nfs4_laundromat nfs4_get_client_reaplist nfs4_anylock_blockers __break_lease spin_lock // ctx->flc_lock spin_lock // clp->cl_lock nfs4_lockowner_has_blockers locks_owner_has_blockers spin_lock // flctx->flc_lock nfsd_break_deleg_cb nfsd_break_one_deleg nfs4_put_stid refcount_dec_and_lock spin_lock // clp->cl_lock When a file is opened, an nfs4_delegation is allocated with sc_count initialized to 1, and the file_lease holds a reference to the delegation. The file_lease is then associated with the file through kernel_setlease. The disassociation is performed in nfsd4_delegreturn via the following call chain: nfsd4_delegreturn --> destroy_delegation --> destroy_unhashed_deleg --> nfs4_unlock_deleg_lease --> kernel_setlease --> generic_delete_lease The corresponding sc_count reference will be released after this disassociation. Since nfsd_break_one_deleg executes while holding the flc_lock, the disassociation process becomes blocked when attempting to acquire flc_lock in generic_delete_lease. This means: 1) sc_count in nfsd_break_one_deleg will not be decremented to 0; 2) The nfs4_put_stid called by nfsd_break_one_deleg will not attempt to acquire cl_lock; 3) Consequently, no deadlock condition is created. Given that sc_count in nfsd_break_one_deleg remains non-zero, we can safely perform refcount_dec on sc_count directly. This approach effectively avoids triggering deadlock warnings.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-04-16 CVE Reserved
2025-05-09 CVE Published
2025-05-26 CVE Updated
2025-06-10 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (14)

URL	Tag	Source
https://git.kernel.org/stable/c/b874cdef4e67e5150e07eff0eae1cbb21fb92da1	Vuln. Introduced
https://git.kernel.org/stable/c/cdb796137c57e68ca34518d53be53b679351eb86	Vuln. Introduced
https://git.kernel.org/stable/c/d96587cc93ec369031bcd7658c6adc719873c9fd	Vuln. Introduced
https://git.kernel.org/stable/c/9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1	Vuln. Introduced
https://git.kernel.org/stable/c/cad3479b63661a399c9df1d0b759e1806e2df3c8	Vuln. Introduced
https://git.kernel.org/stable/c/133f5e2a37ce08c82d24e8fba65e0a81deae4609	Vuln. Introduced
https://git.kernel.org/stable/c/63b91c8ff4589f5263873b24c052447a28e10ef7	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/b9bbe8f9d5663311d06667ce36d6ed255ead1a26	2025-05-02
https://git.kernel.org/stable/c/a70832d3555987035fc430ccd703acd89393eadb	2025-05-02
https://git.kernel.org/stable/c/ba903539fff745d592d893c71b30e5e268a95413	2025-04-25
https://git.kernel.org/stable/c/7d192e27a431026c58d60edf66dc6cd98d0c01fc	2025-04-25
https://git.kernel.org/stable/c/a7fce086f6ca84db409b9d58493ea77c1978897c	2025-04-25
https://git.kernel.org/stable/c/14985d66b9b99c12995dd99d1c6c8dec4114c2a5	2025-04-25
https://git.kernel.org/stable/c/a1d14d931bf700c1025db8c46d6731aa5cf440f9	2025-04-13

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.236 < 5.10.237 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.236 < 5.10.237"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.180 < 5.15.181 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.180 < 5.15.181"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.134 < 6.1.135 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.134 < 6.1.135"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6.87 < 6.6.88 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.87 < 6.6.88"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.12.23 < 6.12.25 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.12.23 < 6.12.25"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.14.2 < 6.14.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.14.2 < 6.14.4"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.13.11 Search vendor "Linux" for product "Linux Kernel" and version "6.13.11"		en		Affected