{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-37871","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.959Z","datePublished":"2025-05-09T06:43:59.720Z","dateUpdated":"2026-05-11T21:16:43.327Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:16:43.327Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: decrease sc_count directly if fail to queue dl_recall\n\nA deadlock warning occurred when invoking nfs4_put_stid following a failed\ndl_recall queue operation:\n            T1                            T2\n                                nfs4_laundromat\n                                 nfs4_get_client_reaplist\n                                  nfs4_anylock_blockers\n__break_lease\n spin_lock // ctx->flc_lock\n                                   spin_lock // clp->cl_lock\n                                   nfs4_lockowner_has_blockers\n                                    locks_owner_has_blockers\n                                     spin_lock // flctx->flc_lock\n nfsd_break_deleg_cb\n  nfsd_break_one_deleg\n   nfs4_put_stid\n    refcount_dec_and_lock\n     spin_lock // clp->cl_lock\n\nWhen a file is opened, an nfs4_delegation is allocated with sc_count\ninitialized to 1, and the file_lease holds a reference to the delegation.\nThe file_lease is then associated with the file through kernel_setlease.\n\nThe disassociation is performed in nfsd4_delegreturn via the following\ncall chain:\nnfsd4_delegreturn --> destroy_delegation --> destroy_unhashed_deleg -->\nnfs4_unlock_deleg_lease --> kernel_setlease --> generic_delete_lease\nThe corresponding sc_count reference will be released after this\ndisassociation.\n\nSince nfsd_break_one_deleg executes while holding the flc_lock, the\ndisassociation process becomes blocked when attempting to acquire flc_lock\nin generic_delete_lease. This means:\n1) sc_count in nfsd_break_one_deleg will not be decremented to 0;\n2) The nfs4_put_stid called by nfsd_break_one_deleg will not attempt to\nacquire cl_lock;\n3) Consequently, no deadlock condition is created.\n\nGiven that sc_count in nfsd_break_one_deleg remains non-zero, we can\nsafely perform refcount_dec on sc_count directly. This approach\neffectively avoids triggering deadlock warnings."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/nfsd/nfs4state.c"],"versions":[{"version":"b874cdef4e67e5150e07eff0eae1cbb21fb92da1","lessThan":"b9bbe8f9d5663311d06667ce36d6ed255ead1a26","status":"affected","versionType":"git"},{"version":"cdb796137c57e68ca34518d53be53b679351eb86","lessThan":"a70832d3555987035fc430ccd703acd89393eadb","status":"affected","versionType":"git"},{"version":"d96587cc93ec369031bcd7658c6adc719873c9fd","lessThan":"ba903539fff745d592d893c71b30e5e268a95413","status":"affected","versionType":"git"},{"version":"9a81cde8c7ce65dd90fb47ceea93a45fc1a2fbd1","lessThan":"7d192e27a431026c58d60edf66dc6cd98d0c01fc","status":"affected","versionType":"git"},{"version":"cad3479b63661a399c9df1d0b759e1806e2df3c8","lessThan":"a7fce086f6ca84db409b9d58493ea77c1978897c","status":"affected","versionType":"git"},{"version":"133f5e2a37ce08c82d24e8fba65e0a81deae4609","lessThan":"14985d66b9b99c12995dd99d1c6c8dec4114c2a5","status":"affected","versionType":"git"},{"version":"230ca758453c63bd38e4d9f4a21db698f7abada8","lessThan":"a1d14d931bf700c1025db8c46d6731aa5cf440f9","status":"affected","versionType":"git"},{"version":"63b91c8ff4589f5263873b24c052447a28e10ef7","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/nfsd/nfs4state.c"],"versions":[{"version":"5.10.236","lessThan":"5.10.237","status":"affected","versionType":"semver"},{"version":"5.15.180","lessThan":"5.15.181","status":"affected","versionType":"semver"},{"version":"6.1.134","lessThan":"6.1.135","status":"affected","versionType":"semver"},{"version":"6.6.87","lessThan":"6.6.88","status":"affected","versionType":"semver"},{"version":"6.12.23","lessThan":"6.12.25","status":"affected","versionType":"semver"},{"version":"6.14.2","lessThan":"6.14.4","status":"affected","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.236","versionEndExcluding":"5.10.237"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.180","versionEndExcluding":"5.15.181"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.134","versionEndExcluding":"6.1.135"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.87","versionEndExcluding":"6.6.88"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.23","versionEndExcluding":"6.12.25"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14.2","versionEndExcluding":"6.14.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13.11"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/b9bbe8f9d5663311d06667ce36d6ed255ead1a26"},{"url":"https://git.kernel.org/stable/c/a70832d3555987035fc430ccd703acd89393eadb"},{"url":"https://git.kernel.org/stable/c/ba903539fff745d592d893c71b30e5e268a95413"},{"url":"https://git.kernel.org/stable/c/7d192e27a431026c58d60edf66dc6cd98d0c01fc"},{"url":"https://git.kernel.org/stable/c/a7fce086f6ca84db409b9d58493ea77c1978897c"},{"url":"https://git.kernel.org/stable/c/14985d66b9b99c12995dd99d1c6c8dec4114c2a5"},{"url":"https://git.kernel.org/stable/c/a1d14d931bf700c1025db8c46d6731aa5cf440f9"}],"title":"nfsd: decrease sc_count directly if fail to queue dl_recall","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T19:56:48.360Z"}}]}}