cve/published/2025/CVE-2025-37871.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-37871: nfsd: decrease sc_count directly if fail to queue dl_recall

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 nfsd: decrease sc_count directly if fail to queue dl_recall

 A deadlock warning occurred when invoking nfs4_put_stid following a failed
 dl_recall queue operation:
             T1                            T2
                                 nfs4_laundromat
                                  nfs4_get_client_reaplist
                                   nfs4_anylock_blockers
 __break_lease
  spin_lock // ctx->flc_lock
                                    spin_lock // clp->cl_lock
                                    nfs4_lockowner_has_blockers
                                     locks_owner_has_blockers
                                      spin_lock // flctx->flc_lock
  nfsd_break_deleg_cb
   nfsd_break_one_deleg
    nfs4_put_stid
     refcount_dec_and_lock
      spin_lock // clp->cl_lock

 When a file is opened, an nfs4_delegation is allocated with sc_count
 initialized to 1, and the file_lease holds a reference to the delegation.
 The file_lease is then associated with the file through kernel_setlease.

 The disassociation is performed in nfsd4_delegreturn via the following
 call chain:
 nfsd4_delegreturn --> destroy_delegation --> destroy_unhashed_deleg -->
 nfs4_unlock_deleg_lease --> kernel_setlease --> generic_delete_lease
 The corresponding sc_count reference will be released after this
 disassociation.

 Since nfsd_break_one_deleg executes while holding the flc_lock, the
 disassociation process becomes blocked when attempting to acquire flc_lock
 in generic_delete_lease. This means:
 1) sc_count in nfsd_break_one_deleg will not be decremented to 0;
 2) The nfs4_put_stid called by nfsd_break_one_deleg will not attempt to
 acquire cl_lock;
 3) Consequently, no deadlock condition is created.

 Given that sc_count in nfsd_break_one_deleg remains non-zero, we can
 safely perform refcount_dec on sc_count directly. This approach
 effectively avoids triggering deadlock warnings.

 The Linux kernel CVE team has assigned CVE-2025-37871 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10.236 with commit b874cdef4e67e5150e07eff0eae1cbb21fb92da1 and fixed in 5.10.237 with commit b9bbe8f9d5663311d06667ce36d6ed255ead1a26
 	Issue introduced in 5.15.180 with commit cdb796137c57e68ca34518d53be53b679351eb86 and fixed in 5.15.181 with commit a70832d3555987035fc430ccd703acd89393eadb
 	Issue introduced in 6.1.134 with commit d96587cc93ec369031bcd7658c6adc719873c9fd and fixed in 6.1.135 with commit ba903539fff745d592d893c71b30e5e268a95413
 	Issue introduced in 6.6.87 with commit 9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1 and fixed in 6.6.88 with commit 7d192e27a431026c58d60edf66dc6cd98d0c01fc
 	Issue introduced in 6.12.23 with commit cad3479b63661a399c9df1d0b759e1806e2df3c8 and fixed in 6.12.25 with commit a7fce086f6ca84db409b9d58493ea77c1978897c
 	Issue introduced in 6.14.2 with commit 133f5e2a37ce08c82d24e8fba65e0a81deae4609 and fixed in 6.14.4 with commit 14985d66b9b99c12995dd99d1c6c8dec4114c2a5
 	Issue introduced in 6.13.11 with commit 63b91c8ff4589f5263873b24c052447a28e10ef7

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-37871
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/nfsd/nfs4state.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/b9bbe8f9d5663311d06667ce36d6ed255ead1a26
 	https://git.kernel.org/stable/c/a70832d3555987035fc430ccd703acd89393eadb
 	https://git.kernel.org/stable/c/ba903539fff745d592d893c71b30e5e268a95413
 	https://git.kernel.org/stable/c/7d192e27a431026c58d60edf66dc6cd98d0c01fc
 	https://git.kernel.org/stable/c/a7fce086f6ca84db409b9d58493ea77c1978897c
 	https://git.kernel.org/stable/c/14985d66b9b99c12995dd99d1c6c8dec4114c2a5
 	https://git.kernel.org/stable/c/a1d14d931bf700c1025db8c46d6731aa5cf440f9
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-37871: nfsd: decrease sc_count directly if fail to queue dl_recall

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	nfsd: decrease sc_count directly if fail to queue dl_recall

	A deadlock warning occurred when invoking nfs4_put_stid following a failed
	dl_recall queue operation:
	T1 T2
	nfs4_laundromat
	nfs4_get_client_reaplist
	nfs4_anylock_blockers
	__break_lease
	spin_lock // ctx->flc_lock
	spin_lock // clp->cl_lock
	nfs4_lockowner_has_blockers
	locks_owner_has_blockers
	spin_lock // flctx->flc_lock
	nfsd_break_deleg_cb
	nfsd_break_one_deleg
	nfs4_put_stid
	refcount_dec_and_lock
	spin_lock // clp->cl_lock

	When a file is opened, an nfs4_delegation is allocated with sc_count
	initialized to 1, and the file_lease holds a reference to the delegation.
	The file_lease is then associated with the file through kernel_setlease.

	The disassociation is performed in nfsd4_delegreturn via the following
	call chain:
	nfsd4_delegreturn --> destroy_delegation --> destroy_unhashed_deleg -->
	nfs4_unlock_deleg_lease --> kernel_setlease --> generic_delete_lease
	The corresponding sc_count reference will be released after this
	disassociation.

	Since nfsd_break_one_deleg executes while holding the flc_lock, the
	disassociation process becomes blocked when attempting to acquire flc_lock
	in generic_delete_lease. This means:
	1) sc_count in nfsd_break_one_deleg will not be decremented to 0;
	2) The nfs4_put_stid called by nfsd_break_one_deleg will not attempt to
	acquire cl_lock;
	3) Consequently, no deadlock condition is created.

	Given that sc_count in nfsd_break_one_deleg remains non-zero, we can
	safely perform refcount_dec on sc_count directly. This approach
	effectively avoids triggering deadlock warnings.

	The Linux kernel CVE team has assigned CVE-2025-37871 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10.236 with commit b874cdef4e67e5150e07eff0eae1cbb21fb92da1 and fixed in 5.10.237 with commit b9bbe8f9d5663311d06667ce36d6ed255ead1a26
	Issue introduced in 5.15.180 with commit cdb796137c57e68ca34518d53be53b679351eb86 and fixed in 5.15.181 with commit a70832d3555987035fc430ccd703acd89393eadb
	Issue introduced in 6.1.134 with commit d96587cc93ec369031bcd7658c6adc719873c9fd and fixed in 6.1.135 with commit ba903539fff745d592d893c71b30e5e268a95413
	Issue introduced in 6.6.87 with commit 9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1 and fixed in 6.6.88 with commit 7d192e27a431026c58d60edf66dc6cd98d0c01fc
	Issue introduced in 6.12.23 with commit cad3479b63661a399c9df1d0b759e1806e2df3c8 and fixed in 6.12.25 with commit a7fce086f6ca84db409b9d58493ea77c1978897c
	Issue introduced in 6.14.2 with commit 133f5e2a37ce08c82d24e8fba65e0a81deae4609 and fixed in 6.14.4 with commit 14985d66b9b99c12995dd99d1c6c8dec4114c2a5
	Issue introduced in 6.13.11 with commit 63b91c8ff4589f5263873b24c052447a28e10ef7

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37871
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/nfsd/nfs4state.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/b9bbe8f9d5663311d06667ce36d6ed255ead1a26
	https://git.kernel.org/stable/c/a70832d3555987035fc430ccd703acd89393eadb
	https://git.kernel.org/stable/c/ba903539fff745d592d893c71b30e5e268a95413
	https://git.kernel.org/stable/c/7d192e27a431026c58d60edf66dc6cd98d0c01fc
	https://git.kernel.org/stable/c/a7fce086f6ca84db409b9d58493ea77c1978897c
	https://git.kernel.org/stable/c/14985d66b9b99c12995dd99d1c6c8dec4114c2a5
	https://git.kernel.org/stable/c/a1d14d931bf700c1025db8c46d6731aa5cf440f9