{"uuid": "08aae369-dda4-4033-b7d9-389090e04278", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-37871", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/15700", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-37871\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: decrease sc_count directly if fail to queue dl_recall\n\nA deadlock warning occurred when invoking nfs4_put_stid following a failed\ndl_recall queue operation:\n            T1                            T2\n                                nfs4_laundromat\n                                 nfs4_get_client_reaplist\n                                  nfs4_anylock_blockers\n__break_lease\n spin_lock // ctx->flc_lock\n                                   spin_lock // clp->cl_lock\n                                   nfs4_lockowner_has_blockers\n                                    locks_owner_has_blockers\n                                     spin_lock // flctx->flc_lock\n nfsd_break_deleg_cb\n  nfsd_break_one_deleg\n   nfs4_put_stid\n    refcount_dec_and_lock\n     spin_lock // clp->cl_lock\n\nWhen a file is opened, an nfs4_delegation is allocated with sc_count\ninitialized to 1, and the file_lease holds a reference to the delegation.\nThe file_lease is then associated with the file through kernel_setlease.\n\nThe disassociation is performed in nfsd4_delegreturn via the following\ncall chain:\nnfsd4_delegreturn --> destroy_delegation --> destroy_unhashed_deleg -->\nnfs4_unlock_deleg_lease --> kernel_setlease --> generic_delete_lease\nThe corresponding sc_count reference will be released after this\ndisassociation.\n\nSince nfsd_break_one_deleg executes while holding the flc_lock, the\ndisassociation process becomes blocked when attempting to acquire flc_lock\nin generic_delete_lease. This means:\n1) sc_count in nfsd_break_one_deleg will not be decremented to 0;\n2) The nfs4_put_stid called by nfsd_break_one_deleg will not attempt to\nacquire cl_lock;\n3) Consequently, no deadlock condition is created.\n\nGiven that sc_count in nfsd_break_one_deleg remains non-zero, we can\nsafely perform refcount_dec on sc_count directly. This approach\neffectively avoids triggering deadlock warnings.\n\ud83d\udccf Published: 2025-05-09T06:43:59.720Z\n\ud83d\udccf Modified: 2025-05-09T06:43:59.720Z\n\ud83d\udd17 References:\n1. https://git.kernel.org/stable/c/b9bbe8f9d5663311d06667ce36d6ed255ead1a26\n2. https://git.kernel.org/stable/c/a70832d3555987035fc430ccd703acd89393eadb\n3. https://git.kernel.org/stable/c/ba903539fff745d592d893c71b30e5e268a95413\n4. https://git.kernel.org/stable/c/7d192e27a431026c58d60edf66dc6cd98d0c01fc\n5. https://git.kernel.org/stable/c/a7fce086f6ca84db409b9d58493ea77c1978897c\n6. https://git.kernel.org/stable/c/14985d66b9b99c12995dd99d1c6c8dec4114c2a5\n7. https://git.kernel.org/stable/c/a1d14d931bf700c1025db8c46d6731aa5cf440f9", "creation_timestamp": "2025-05-09T07:25:47.000000Z"}