CVE-2025-37871

nfsd: decrease sc_count directly if fail to queue dl_recall

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

MITRE

In the Linux kernel, the following vulnerability has been resolved: nfsd: decrease sc_count directly if fail to queue dl_recall A deadlock warning occurred when invoking nfs4_put_stid following a failed
dl_recall queue operation: T1 T2 nfs4_laundromat nfs4_get_client_reaplist nfs4_anylock_blockers
__break_lease spin_lock // ctx->flc_lock spin_lock // clp->cl_lock nfs4_lockowner_has_blockers locks_owner_has_blockers spin_lock // flctx->flc_lock nfsd_break_deleg_cb nfsd_break_one_deleg nfs4_put_stid refcount_dec_and_lock spin_lock // clp->cl_lock When a file is opened, an nfs4_delegation is allocated with sc_count
initialized to 1, and the file_lease holds a reference to the delegation.
The file_lease is then associated with the file through kernel_setlease. The disassociation is performed in nfsd4_delegreturn via the following
call chain:
nfsd4_delegreturn --> destroy_delegation --> destroy_unhashed_deleg -->
nfs4_unlock_deleg_lease --> kernel_setlease --> generic_delete_lease
The corresponding sc_count reference will be released after this
disassociation. Since nfsd_break_one_deleg executes while holding the flc_lock, the
disassociation process becomes blocked when attempting to acquire flc_lock
in generic_delete_lease. This means:
1) sc_count in nfsd_break_one_deleg will not be decremented to 0;
2) The nfs4_put_stid called by nfsd_break_one_deleg will not attempt to
acquire cl_lock;
3) Consequently, no deadlock condition is created. Given that sc_count in nfsd_break_one_deleg remains non-zero, we can
safely perform refcount_dec on sc_count directly. This approach
effectively avoids triggering deadlock warnings.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-04-16 CVE Reserved
2025-05-09 CVE Published
2025-05-09 CVE Updated
---------- EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (15)

URL	Tag	Source
https://git.kernel.org/stable/c/b874cdef4e67e5150e07eff0eae1cbb21fb92da1	Vuln. Introduced
https://git.kernel.org/stable/c/cdb796137c57e68ca34518d53be53b679351eb86	Vuln. Introduced
https://git.kernel.org/stable/c/d96587cc93ec369031bcd7658c6adc719873c9fd	Vuln. Introduced
https://git.kernel.org/stable/c/9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1	Vuln. Introduced
https://git.kernel.org/stable/c/cad3479b63661a399c9df1d0b759e1806e2df3c8	Vuln. Introduced
https://git.kernel.org/stable/c/133f5e2a37ce08c82d24e8fba65e0a81deae4609	Vuln. Introduced
https://git.kernel.org/stable/c/230ca758453c63bd38e4d9f4a21db698f7abada8	Vuln. Introduced
https://git.kernel.org/stable/c/63b91c8ff4589f5263873b24c052447a28e10ef7	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/b9bbe8f9d5663311d06667ce36d6ed255ead1a26	2025-05-02
https://git.kernel.org/stable/c/a70832d3555987035fc430ccd703acd89393eadb	2025-05-02
https://git.kernel.org/stable/c/ba903539fff745d592d893c71b30e5e268a95413	2025-04-25
https://git.kernel.org/stable/c/7d192e27a431026c58d60edf66dc6cd98d0c01fc	2025-04-25
https://git.kernel.org/stable/c/a7fce086f6ca84db409b9d58493ea77c1978897c	2025-04-25
https://git.kernel.org/stable/c/14985d66b9b99c12995dd99d1c6c8dec4114c2a5	2025-04-25
https://git.kernel.org/stable/c/a1d14d931bf700c1025db8c46d6731aa5cf440f9	2025-04-13

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.236 < 5.10.237 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.236 < 5.10.237"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.180 < 5.15.181 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.180 < 5.15.181"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.134 < 6.1.135 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.134 < 6.1.135"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6.87 < 6.6.88 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.87 < 6.6.88"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.12.23 < 6.12.25 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.12.23 < 6.12.25"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.14.2 < 6.14.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.14.2 < 6.14.4"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.15-rc1 < 6.15-rc3 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.15-rc1 < 6.15-rc3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.13.11 Search vendor "Linux" for product "Linux Kernel" and version "6.13.11"		en		Affected