In the Linux kernel, the following vulnerability has been resolved:
nfsd: decrease sccount directly if fail to queue dlrecall
A deadlock warning occurred when invoking nfs4putstid following a failed dlrecall queue operation: T1 T2 nfs4laundromat nfs4getclientreaplist nfs4anylockblockers _breaklease spinlock // ctx->flclock spinlock // clp->cllock nfs4lockownerhasblockers locksownerhasblockers spinlock // flctx->flclock nfsdbreakdelegcb nfsdbreakonedeleg nfs4putstid refcountdecandlock spinlock // clp->cllock
When a file is opened, an nfs4delegation is allocated with sccount initialized to 1, and the filelease holds a reference to the delegation. The filelease is then associated with the file through kernel_setlease.
The disassociation is performed in nfsd4delegreturn via the following call chain: nfsd4delegreturn --> destroydelegation --> destroyunhasheddeleg --> nfs4unlockdeleglease --> kernelsetlease --> genericdeletelease The corresponding sccount reference will be released after this disassociation.
Since nfsdbreakonedeleg executes while holding the flclock, the disassociation process becomes blocked when attempting to acquire flclock in genericdeletelease. This means: 1) sccount in nfsdbreakonedeleg will not be decremented to 0; 2) The nfs4putstid called by nfsdbreakonedeleg will not attempt to acquire cl_lock; 3) Consequently, no deadlock condition is created.
Given that sccount in nfsdbreakonedeleg remains non-zero, we can safely perform refcountdec on sccount directly. This approach effectively avoids triggering deadlock warnings.