lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025050959-CVE-2025-37871-937a@gregkh> Date: Fri, 9 May 2025 08:44:05 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2025-37871: nfsd: decrease sc_count directly if fail to queue dl_recall From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: nfsd: decrease sc_count directly if fail to queue dl_recall A deadlock warning occurred when invoking nfs4_put_stid following a failed dl_recall queue operation: T1 T2 nfs4_laundromat nfs4_get_client_reaplist nfs4_anylock_blockers __break_lease spin_lock // ctx->flc_lock spin_lock // clp->cl_lock nfs4_lockowner_has_blockers locks_owner_has_blockers spin_lock // flctx->flc_lock nfsd_break_deleg_cb nfsd_break_one_deleg nfs4_put_stid refcount_dec_and_lock spin_lock // clp->cl_lock When a file is opened, an nfs4_delegation is allocated with sc_count initialized to 1, and the file_lease holds a reference to the delegation. The file_lease is then associated with the file through kernel_setlease. The disassociation is performed in nfsd4_delegreturn via the following call chain: nfsd4_delegreturn --> destroy_delegation --> destroy_unhashed_deleg --> nfs4_unlock_deleg_lease --> kernel_setlease --> generic_delete_lease The corresponding sc_count reference will be released after this disassociation. Since nfsd_break_one_deleg executes while holding the flc_lock, the disassociation process becomes blocked when attempting to acquire flc_lock in generic_delete_lease. This means: 1) sc_count in nfsd_break_one_deleg will not be decremented to 0; 2) The nfs4_put_stid called by nfsd_break_one_deleg will not attempt to acquire cl_lock; 3) Consequently, no deadlock condition is created. Given that sc_count in nfsd_break_one_deleg remains non-zero, we can safely perform refcount_dec on sc_count directly. This approach effectively avoids triggering deadlock warnings. The Linux kernel CVE team has assigned CVE-2025-37871 to this issue. Affected and fixed versions =========================== Issue introduced in 5.10.236 with commit b874cdef4e67e5150e07eff0eae1cbb21fb92da1 and fixed in 5.10.237 with commit b9bbe8f9d5663311d06667ce36d6ed255ead1a26 Issue introduced in 5.15.180 with commit cdb796137c57e68ca34518d53be53b679351eb86 and fixed in 5.15.181 with commit a70832d3555987035fc430ccd703acd89393eadb Issue introduced in 6.1.134 with commit d96587cc93ec369031bcd7658c6adc719873c9fd and fixed in 6.1.135 with commit ba903539fff745d592d893c71b30e5e268a95413 Issue introduced in 6.6.87 with commit 9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1 and fixed in 6.6.88 with commit 7d192e27a431026c58d60edf66dc6cd98d0c01fc Issue introduced in 6.12.23 with commit cad3479b63661a399c9df1d0b759e1806e2df3c8 and fixed in 6.12.25 with commit a7fce086f6ca84db409b9d58493ea77c1978897c Issue introduced in 6.14.2 with commit 133f5e2a37ce08c82d24e8fba65e0a81deae4609 and fixed in 6.14.4 with commit 14985d66b9b99c12995dd99d1c6c8dec4114c2a5 Issue introduced in 6.15-rc1 with commit 230ca758453c63bd38e4d9f4a21db698f7abada8 and fixed in 6.15-rc3 with commit a1d14d931bf700c1025db8c46d6731aa5cf440f9 Issue introduced in 6.13.11 with commit 63b91c8ff4589f5263873b24c052447a28e10ef7 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-37871 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/nfsd/nfs4state.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/b9bbe8f9d5663311d06667ce36d6ed255ead1a26 https://git.kernel.org/stable/c/a70832d3555987035fc430ccd703acd89393eadb https://git.kernel.org/stable/c/ba903539fff745d592d893c71b30e5e268a95413 https://git.kernel.org/stable/c/7d192e27a431026c58d60edf66dc6cd98d0c01fc https://git.kernel.org/stable/c/a7fce086f6ca84db409b9d58493ea77c1978897c https://git.kernel.org/stable/c/14985d66b9b99c12995dd99d1c6c8dec4114c2a5 https://git.kernel.org/stable/c/a1d14d931bf700c1025db8c46d6731aa5cf440f9
Powered by blists - more mailing lists