lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <56d176c7-f907-4557-8848-5f43d25b33cb@oracle.com>
Date: Sat, 11 Oct 2025 18:18:52 -0400
From: Chuck Lever <chuck.lever@...cle.com>
To: 김강민 <km.kim1503@...il.com>, jlayton@...nel.org
Cc: neil@...wn.name, okorniev@...hat.com, Dai.Ngo@...cle.com, tom@...pey.com,
        linux-nfs@...r.kernel.org, linux-kernel@...r.kernel.org,
        syzkaller@...glegroups.com
Subject: Re: [BUG] After unloading the nfsd module, a use-after-free occurred
 due to Objects remaining on __kmem_cache_shutdown().

On 10/11/25 4:19 PM, 김강민 wrote:
> Dear Linux kernel developers and maintainers,
> 
> Hello,
> This bug was discovered through syzkaller.
> 
> Kernel driver involved: nfsd
> 
> Version detected by syzkaller:
> - Commit version: cd5a0afbdf8033dc83786315d63f8b325bdba2fd

In my Linux kernel repo, commit cd5a0a is not related to NFSD:

cel@...cle-102:~/src/linux/for-korg$ git show
cd5a0afbdf8033dc83786315d63f8b325bdba2fd
commit cd5a0afbdf8033dc83786315d63f8b325bdba2fd
Merge: ed4d6e92463e 3f39f5652037
Author:     Linus Torvalds <torvalds@...ux-foundation.org>
AuthorDate: Wed Oct 8 11:44:21 2025 -0700
Commit:     Linus Torvalds <torvalds@...ux-foundation.org>
CommitDate: Wed Oct 8 11:44:21 2025 -0700

    Merge tag 'mailbox-v6.18' of
git://git.kernel.org/pub/scm/linux/kernel/git/jassibrar/mailbox

    Pull mailbox updates from Jassi Brar:


Would it be possible for you to bisect the failure?


> Details
> If the test driver is forcibly unloaded, objects remain in memory,
> which can later lead to issues such as use-after-free.
> Additionally, This issue can be easily reproduced with the following command.
> $ sudo rmmod -f nfsd
> Note: Since the nfsd service is running internally with open ports and
> mounted shares, it may affect this issue. Therefore, the boot log is
> attached as a file.
> 
> Please let me know if any further information is required.
> 
> Best Regards,
> GangMin Kim.


-- 
Chuck Lever

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ