| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGfirffSOjQtJ=FhZ1bhmqDMtdm2UAgvo9TdJNY5hU4KJXQ+pw@mail.gmail.com> Date: Sun, 12 Oct 2025 05:19:47 +0900 From: 김강민 <km.kim1503@...il.com> To: chuck.lever@...cle.com, jlayton@...nel.org Cc: neil@...wn.name, okorniev@...hat.com, Dai.Ngo@...cle.com, tom@...pey.com, linux-nfs@...r.kernel.org, linux-kernel@...r.kernel.org, syzkaller@...glegroups.com Subject: [BUG] After unloading the nfsd module, a use-after-free occurred due to Objects remaining on __kmem_cache_shutdown(). Dear Linux kernel developers and maintainers, Hello, This bug was discovered through syzkaller. Kernel driver involved: nfsd Version detected by syzkaller: - Commit version: cd5a0afbdf8033dc83786315d63f8b325bdba2fd Details If the test driver is forcibly unloaded, objects remain in memory, which can later lead to issues such as use-after-free. Additionally, This issue can be easily reproduced with the following command. $ sudo rmmod -f nfsd Note: Since the nfsd service is running internally with open ports and mounted shares, it may affect this issue. Therefore, the boot log is attached as a file. Please let me know if any further information is required. Best Regards, GangMin Kim. View attachment "bug_report.txt" of type "text/plain" (63024 bytes) View attachment "crepro.c" of type "text/plain" (3909 bytes) View attachment "kernel_log.txt" of type "text/plain" (39668 bytes) Download attachment ".config" of type "application/xml" (152968 bytes)
Powered by blists - more mailing lists