CVE-2025-37871: nfsd: decrease sc_count directly if fail to queue dl_recall
Description
In the Linux kernel, the following vulnerability has been resolved:
nfsd: decrease sc_count directly if fail to queue dl_recall
A deadlock warning occurred when invoking nfs4_put_stid following a failed
dl_recall queue operation:
T1 T2
nfs4_laundromat
nfs4_get_client_reaplist
nfs4_anylock_blockers
__break_lease
spin_lock // ctx->flc_lock
spin_lock // clp->cl_lock
nfs4_lockowner_has_blockers
locks_owner_has_blockers
spin_lock // flctx->flc_lock
nfsd_break_deleg_cb
nfsd_break_one_deleg
nfs4_put_stid
refcount_dec_and_lock
spin_lock // clp->cl_lock
When a file is opened, an nfs4_delegation is allocated with sc_count
initialized to 1, and the file_lease holds a reference to the delegation.
The file_lease is then associated with the file through kernel_setlease.
The disassociation is performed in nfsd4_delegreturn via the following
call chain:
nfsd4_delegreturn --> destroy_delegation --> destroy_unhashed_deleg -->
nfs4_unlock_deleg_lease --> kernel_setlease --> generic_delete_lease
The corresponding sc_count reference will be released after this
disassociation.
Since nfsd_break_one_deleg executes while holding the flc_lock, the
disassociation process becomes blocked when attempting ...
Classification
CVE ID: CVE-2025-37871
Affected Products
Vendor: Linux
Product: Linux
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.03% (probability of being exploited)
EPSS Percentile: 7.64% (scored less or equal to compared to others)
EPSS Date: 2025-06-07 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-37871https://git.kernel.org/stable/c/b9bbe8f9d5663311d06667ce36d6ed255ead1a26
https://git.kernel.org/stable/c/a70832d3555987035fc430ccd703acd89393eadb
https://git.kernel.org/stable/c/ba903539fff745d592d893c71b30e5e268a95413
https://git.kernel.org/stable/c/7d192e27a431026c58d60edf66dc6cd98d0c01fc
https://git.kernel.org/stable/c/a7fce086f6ca84db409b9d58493ea77c1978897c
https://git.kernel.org/stable/c/14985d66b9b99c12995dd99d1c6c8dec4114c2a5
https://git.kernel.org/stable/c/a1d14d931bf700c1025db8c46d6731aa5cf440f9