lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <219985d542d0eb765d917c0ab620b6af5c62f1af.camel@kernel.org>
Date: Mon, 16 Jun 2025 08:09:27 -0400
From: Jeff Layton <jlayton@...nel.org>
To: ChenXiaoSong <chenxiaosong@...nxiaosong.com>
Cc: Olga Kornievskaia <okorniev@...hat.com>, Li Lingfeng	
 <lilingfeng3@...wei.com>, Dai Ngo <Dai.Ngo@...cle.com>, Neil Brown
 <neilb@...e.de>,  Chuck Lever <chuck.lever@...cle.com>, Tom Talpey
 <tom@...pey.com>, linux-nfs@...r.kernel.org, 	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 1/5] nfsd: prevent callback tasks running concurrently

On Mon, 2025-06-16 at 15:49 +0800, ChenXiaoSong wrote:
> Hi Jeff:
> 
> Do you have any suggestions for this null-ptr-deref issue?
> 
> Here is the link to the vmcore analysis:
> 
> https://chenxiaosong.com/en/nfs/en-null-ptr-deref-in-nfsd4_probe_callback.html
> 
> Thanks,
> ChenXiaoSong.
> 

Not right offhand. My first guess would be some sort of UAF. Maybe a
nfs4_client refcounting issue? If this is reproducible then you may
want to turn up KASAN which might give you more info.

That said, 4.19.90 is more than 6 years old at this point. You may want
to consider moving to something more recent.


> 在 2025/6/11 15:12, ChenXiaoSong 写道:
> > 在 2025/6/10 19:09, Jeff Layton 写道:
> > > 
> > > Synchronization was probably too strong a word. I remember looking over
> > > this code and convincing myself that the probe callback wasn't subject
> > > to the same races as the others, but I think that was mostly because
> > > the outcome of those races was not harmful. Note that the probe itself
> > > can actually be run at the start of a completely unrelated callback to
> > > the same client.
> > > 
> > > So you hit a NULL pointer in __queue_work()? The work_struct is
> > > embedded in the nfs4_client so that would probably imply that that the
> > > nfs4_client struct was corrupt?
> > > 
> > > You may want to get a vmcore and analyze it if you can reproduce this.
> > 
> > Thanks for your reply.
> > 
> > I have already got a vmcore. Here is the link to the vmcore analysis:
> > 
> > https://chenxiaosong.com/en/nfs/en-null-ptr-deref-in- 
> > nfsd4_probe_callback.html
> > 
> > Please let me know if you need any more detailed information.
> > 
> > Thanks,
> > ChenXiaoSong.
> 

-- 
Jeff Layton <jlayton@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ