lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025050959-CVE-2025-37871-937a@gregkh>
Date: Fri,  9 May 2025 08:44:05 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-37871: nfsd: decrease sc_count directly if fail to queue dl_recall

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

nfsd: decrease sc_count directly if fail to queue dl_recall

A deadlock warning occurred when invoking nfs4_put_stid following a failed
dl_recall queue operation:
            T1                            T2
                                nfs4_laundromat
                                 nfs4_get_client_reaplist
                                  nfs4_anylock_blockers
__break_lease
 spin_lock // ctx->flc_lock
                                   spin_lock // clp->cl_lock
                                   nfs4_lockowner_has_blockers
                                    locks_owner_has_blockers
                                     spin_lock // flctx->flc_lock
 nfsd_break_deleg_cb
  nfsd_break_one_deleg
   nfs4_put_stid
    refcount_dec_and_lock
     spin_lock // clp->cl_lock

When a file is opened, an nfs4_delegation is allocated with sc_count
initialized to 1, and the file_lease holds a reference to the delegation.
The file_lease is then associated with the file through kernel_setlease.

The disassociation is performed in nfsd4_delegreturn via the following
call chain:
nfsd4_delegreturn --> destroy_delegation --> destroy_unhashed_deleg -->
nfs4_unlock_deleg_lease --> kernel_setlease --> generic_delete_lease
The corresponding sc_count reference will be released after this
disassociation.

Since nfsd_break_one_deleg executes while holding the flc_lock, the
disassociation process becomes blocked when attempting to acquire flc_lock
in generic_delete_lease. This means:
1) sc_count in nfsd_break_one_deleg will not be decremented to 0;
2) The nfs4_put_stid called by nfsd_break_one_deleg will not attempt to
acquire cl_lock;
3) Consequently, no deadlock condition is created.

Given that sc_count in nfsd_break_one_deleg remains non-zero, we can
safely perform refcount_dec on sc_count directly. This approach
effectively avoids triggering deadlock warnings.

The Linux kernel CVE team has assigned CVE-2025-37871 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.10.236 with commit b874cdef4e67e5150e07eff0eae1cbb21fb92da1 and fixed in 5.10.237 with commit b9bbe8f9d5663311d06667ce36d6ed255ead1a26
	Issue introduced in 5.15.180 with commit cdb796137c57e68ca34518d53be53b679351eb86 and fixed in 5.15.181 with commit a70832d3555987035fc430ccd703acd89393eadb
	Issue introduced in 6.1.134 with commit d96587cc93ec369031bcd7658c6adc719873c9fd and fixed in 6.1.135 with commit ba903539fff745d592d893c71b30e5e268a95413
	Issue introduced in 6.6.87 with commit 9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1 and fixed in 6.6.88 with commit 7d192e27a431026c58d60edf66dc6cd98d0c01fc
	Issue introduced in 6.12.23 with commit cad3479b63661a399c9df1d0b759e1806e2df3c8 and fixed in 6.12.25 with commit a7fce086f6ca84db409b9d58493ea77c1978897c
	Issue introduced in 6.14.2 with commit 133f5e2a37ce08c82d24e8fba65e0a81deae4609 and fixed in 6.14.4 with commit 14985d66b9b99c12995dd99d1c6c8dec4114c2a5
	Issue introduced in 6.15-rc1 with commit 230ca758453c63bd38e4d9f4a21db698f7abada8 and fixed in 6.15-rc3 with commit a1d14d931bf700c1025db8c46d6731aa5cf440f9
	Issue introduced in 6.13.11 with commit 63b91c8ff4589f5263873b24c052447a28e10ef7

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37871
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	fs/nfsd/nfs4state.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/b9bbe8f9d5663311d06667ce36d6ed255ead1a26
	https://git.kernel.org/stable/c/a70832d3555987035fc430ccd703acd89393eadb
	https://git.kernel.org/stable/c/ba903539fff745d592d893c71b30e5e268a95413
	https://git.kernel.org/stable/c/7d192e27a431026c58d60edf66dc6cd98d0c01fc
	https://git.kernel.org/stable/c/a7fce086f6ca84db409b9d58493ea77c1978897c
	https://git.kernel.org/stable/c/14985d66b9b99c12995dd99d1c6c8dec4114c2a5
	https://git.kernel.org/stable/c/a1d14d931bf700c1025db8c46d6731aa5cf440f9

Powered by blists - more mailing lists