[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2025050959-CVE-2025-37871-937a@gregkh>
Date: Fri, 9 May 2025 08:44:05 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-37871: nfsd: decrease sc_count directly if fail to queue dl_recall
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
nfsd: decrease sc_count directly if fail to queue dl_recall
A deadlock warning occurred when invoking nfs4_put_stid following a failed
dl_recall queue operation:
T1 T2
nfs4_laundromat
nfs4_get_client_reaplist
nfs4_anylock_blockers
__break_lease
spin_lock // ctx->flc_lock
spin_lock // clp->cl_lock
nfs4_lockowner_has_blockers
locks_owner_has_blockers
spin_lock // flctx->flc_lock
nfsd_break_deleg_cb
nfsd_break_one_deleg
nfs4_put_stid
refcount_dec_and_lock
spin_lock // clp->cl_lock
When a file is opened, an nfs4_delegation is allocated with sc_count
initialized to 1, and the file_lease holds a reference to the delegation.
The file_lease is then associated with the file through kernel_setlease.
The disassociation is performed in nfsd4_delegreturn via the following
call chain:
nfsd4_delegreturn --> destroy_delegation --> destroy_unhashed_deleg -->
nfs4_unlock_deleg_lease --> kernel_setlease --> generic_delete_lease
The corresponding sc_count reference will be released after this
disassociation.
Since nfsd_break_one_deleg executes while holding the flc_lock, the
disassociation process becomes blocked when attempting to acquire flc_lock
in generic_delete_lease. This means:
1) sc_count in nfsd_break_one_deleg will not be decremented to 0;
2) The nfs4_put_stid called by nfsd_break_one_deleg will not attempt to
acquire cl_lock;
3) Consequently, no deadlock condition is created.
Given that sc_count in nfsd_break_one_deleg remains non-zero, we can
safely perform refcount_dec on sc_count directly. This approach
effectively avoids triggering deadlock warnings.
The Linux kernel CVE team has assigned CVE-2025-37871 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.10.236 with commit b874cdef4e67e5150e07eff0eae1cbb21fb92da1 and fixed in 5.10.237 with commit b9bbe8f9d5663311d06667ce36d6ed255ead1a26
Issue introduced in 5.15.180 with commit cdb796137c57e68ca34518d53be53b679351eb86 and fixed in 5.15.181 with commit a70832d3555987035fc430ccd703acd89393eadb
Issue introduced in 6.1.134 with commit d96587cc93ec369031bcd7658c6adc719873c9fd and fixed in 6.1.135 with commit ba903539fff745d592d893c71b30e5e268a95413
Issue introduced in 6.6.87 with commit 9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1 and fixed in 6.6.88 with commit 7d192e27a431026c58d60edf66dc6cd98d0c01fc
Issue introduced in 6.12.23 with commit cad3479b63661a399c9df1d0b759e1806e2df3c8 and fixed in 6.12.25 with commit a7fce086f6ca84db409b9d58493ea77c1978897c
Issue introduced in 6.14.2 with commit 133f5e2a37ce08c82d24e8fba65e0a81deae4609 and fixed in 6.14.4 with commit 14985d66b9b99c12995dd99d1c6c8dec4114c2a5
Issue introduced in 6.15-rc1 with commit 230ca758453c63bd38e4d9f4a21db698f7abada8 and fixed in 6.15-rc3 with commit a1d14d931bf700c1025db8c46d6731aa5cf440f9
Issue introduced in 6.13.11 with commit 63b91c8ff4589f5263873b24c052447a28e10ef7
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-37871
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
fs/nfsd/nfs4state.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/b9bbe8f9d5663311d06667ce36d6ed255ead1a26
https://git.kernel.org/stable/c/a70832d3555987035fc430ccd703acd89393eadb
https://git.kernel.org/stable/c/ba903539fff745d592d893c71b30e5e268a95413
https://git.kernel.org/stable/c/7d192e27a431026c58d60edf66dc6cd98d0c01fc
https://git.kernel.org/stable/c/a7fce086f6ca84db409b9d58493ea77c1978897c
https://git.kernel.org/stable/c/14985d66b9b99c12995dd99d1c6c8dec4114c2a5
https://git.kernel.org/stable/c/a1d14d931bf700c1025db8c46d6731aa5cf440f9
Powered by blists - more mailing lists