lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250307032948epcms5p5280f36a460ef7a4def620096699a1df2@epcms5p5>
Date: Fri, 07 Mar 2025 08:59:48 +0530
From: Maninder Singh <maninder1.s@...sung.com>
To: Jeff Layton <jlayton@...nel.org>, "chuck.lever@...cle.com"
	<chuck.lever@...cle.com>, "neilb@...e.de" <neilb@...e.de>,
	"okorniev@...hat.com" <okorniev@...hat.com>, "Dai.Ngo@...cle.com"
	<Dai.Ngo@...cle.com>, "tom@...pey.com" <tom@...pey.com>,
	"lorenzo@...nel.org" <lorenzo@...nel.org>
CC: "linux-nfs@...r.kernel.org" <linux-nfs@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Chung-Ki Woo
	<chungki0201.woo@...sung.com>, Shubham Rana <s9.rana@...sung.com>
Subject: RE: [PATCH 2/2] NFSD: fix race between nfsd registration and
 exports_proc

Hi,

> > As of now nfsd calls create_proc_exports_entry() at start of init_nfsd
> > and cleanup by remove_proc_entry() at last of exit_nfsd.
> > 
> > Which causes kernel OOPs if there is race between below 2 operations:
> > (i) exportfs -r
> > (ii) mount -t nfsd none /proc/fs/nfsd
> > 
> > for 5.4 kernel ARM64:
> > 
> > CPU 1:
> > el1_irq+0xbc/0x180
> > arch_counter_get_cntvct+0x14/0x18
> > running_clock+0xc/0x18
> > preempt_count_add+0x88/0x110
> > prep_new_page+0xb0/0x220
> > get_page_from_freelist+0x2d8/0x1778
> > __alloc_pages_nodemask+0x15c/0xef0
> > __vmalloc_node_range+0x28c/0x478
> > __vmalloc_node_flags_caller+0x8c/0xb0
> > kvmalloc_node+0x88/0xe0
> > nfsd_init_net+0x6c/0x108 [nfsd]
> > ops_init+0x44/0x170
> > register_pernet_operations+0x114/0x270
> > register_pernet_subsys+0x34/0x50
> > init_nfsd+0xa8/0x718 [nfsd]
> > do_one_initcall+0x54/0x2e0
> > 
> > CPU 2 :
> > Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
> > 
> > PC is at : exports_net_open+0x50/0x68 [nfsd]
> > 
> > Call trace:
> > exports_net_open+0x50/0x68 [nfsd]
> > exports_proc_open+0x2c/0x38 [nfsd]
> > proc_reg_open+0xb8/0x198
> > do_dentry_open+0x1c4/0x418
> > vfs_open+0x38/0x48
> > path_openat+0x28c/0xf18
> > do_filp_open+0x70/0xe8
> > do_sys_open+0x154/0x248



> To make sure I understand, the race is that sometimes the exports
> interface gets created before the net namespace is set up, and then
> that causes GPFs when exports_net_open tries to access the nfsd_net?
> 


Yes, Sometime at time of module init this happened as I shared state of 2 CPUs at
time of crash.
and sometimes it occurs when module was unloading and user space was accessing it.

So I though interface to user shall be exported late during init and clean up early.
But what is actual position for that I was not sure, So I moved to last at time of init
and first at time of clean up.

And originally at time of 4.13 kernel this cleanup was the first thing to do in exit time.
but with time to fixing other issues, its position got changed.

https://web.git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=027690c75e8fd91b60a634d31c4891a6e39d45bd
https://web.git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=bd5ae9288d6451bd346a1b4a59d4fe7e62ba29b7
https://web.git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=6f6f84aa215f7b6665ccbb937db50860f9ec2989

Which caused this kernel OOPs I think.

Thanks,
Maninder Singh

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ