CVE-2025-37871

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: decrease sc_count directly if fail to queue dl_recall<br /> <br /> A deadlock warning occurred when invoking nfs4_put_stid following a failed<br /> dl_recall queue operation:<br /> T1 T2<br /> nfs4_laundromat<br /> nfs4_get_client_reaplist<br /> nfs4_anylock_blockers<br /> __break_lease<br /> spin_lock // ctx-&gt;flc_lock<br /> spin_lock // clp-&gt;cl_lock<br /> nfs4_lockowner_has_blockers<br /> locks_owner_has_blockers<br /> spin_lock // flctx-&gt;flc_lock<br /> nfsd_break_deleg_cb<br /> nfsd_break_one_deleg<br /> nfs4_put_stid<br /> refcount_dec_and_lock<br /> spin_lock // clp-&gt;cl_lock<br /> <br /> When a file is opened, an nfs4_delegation is allocated with sc_count<br /> initialized to 1, and the file_lease holds a reference to the delegation.<br /> The file_lease is then associated with the file through kernel_setlease.<br /> <br /> The disassociation is performed in nfsd4_delegreturn via the following<br /> call chain:<br /> nfsd4_delegreturn --&gt; destroy_delegation --&gt; destroy_unhashed_deleg --&gt;<br /> nfs4_unlock_deleg_lease --&gt; kernel_setlease --&gt; generic_delete_lease<br /> The corresponding sc_count reference will be released after this<br /> disassociation.<br /> <br /> Since nfsd_break_one_deleg executes while holding the flc_lock, the<br /> disassociation process becomes blocked when attempting to acquire flc_lock<br /> in generic_delete_lease. This means:<br /> 1) sc_count in nfsd_break_one_deleg will not be decremented to 0;<br /> 2) The nfs4_put_stid called by nfsd_break_one_deleg will not attempt to<br /> acquire cl_lock;<br /> 3) Consequently, no deadlock condition is created.<br /> <br /> Given that sc_count in nfsd_break_one_deleg remains non-zero, we can<br /> safely perform refcount_dec on sc_count directly. This approach<br /> effectively avoids triggering deadlock warnings.