lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-id: <176022691571.1793333.714819698603408503@noble.neil.brown.name>
Date: Sun, 12 Oct 2025 10:55:15 +1100
From: NeilBrown <neilb@...mail.net>
To: 김강민 <km.kim1503@...il.com>
Cc: chuck.lever@...cle.com, jlayton@...nel.org, okorniev@...hat.com,
 Dai.Ngo@...cle.com, tom@...pey.com, linux-nfs@...r.kernel.org,
 linux-kernel@...r.kernel.org, syzkaller@...glegroups.com
Subject: Re: [BUG] After unloading the nfsd module, a use-after-free occurred
 due to Objects remaining on __kmem_cache_shutdown().

On Sun, 12 Oct 2025, 김강민 wrote:
> Dear Linux kernel developers and maintainers,
> 
> Hello,
> This bug was discovered through syzkaller.

I don't think this is a bug.
Passing O_TRUNC to delete_module(), or passing -f to rmmod is documented
a "dangerous" and "extremely dangerous" respectively.

If you do something that is dangerous, you should expect bad things to
happen.

Presumably the nfsd exit_module function is failing because something is
still in use - as it is allowed to do - and the module is being removed
anyway.

i.e. the "bug" report is invalid.

NeilBrown

> 
> Kernel driver involved: nfsd
> 
> Version detected by syzkaller:
> - Commit version: cd5a0afbdf8033dc83786315d63f8b325bdba2fd
> 
> Details
> If the test driver is forcibly unloaded, objects remain in memory,
> which can later lead to issues such as use-after-free.
> Additionally, This issue can be easily reproduced with the following command.
> $ sudo rmmod -f nfsd
> Note: Since the nfsd service is running internally with open ports and
> mounted shares, it may affect this issue. Therefore, the boot log is
> attached as a file.
> 
> Please let me know if any further information is required.
> 
> Best Regards,
> GangMin Kim.
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ