CVE-2023-54276

In the Linux kernel, the following vulnerability has been resolved:

nfsd: move init of percpu replycachestats counters back to nfsdinitnet

Commit f5f9d4a314da ("nfsd: move reply cache initialization into nfsd startup") moved the initialization of the reply cache into nfsd startup, but didn't account for the stats counters, which can be accessed before nfsd is ever started. The result can be a NULL pointer dereference when someone accesses /proc/fs/nfsd/replycachestats while nfsd is still shut down.

This is a regression and a user-triggerable oops in the right situation:

• non-x86_64 arch
• /proc/fs/nfsd is mounted in the namespace
• nfsd is not started in the namespace
• unprivileged user calls "cat /proc/fs/nfsd/replycachestats"

Although this is easy to trigger on some arches (like aarch64), on x8664, calling thiscpuptr(NULL) evidently returns a pointer to the fixedpercpudata. That struct looks just enough like a newly initialized percpu var to allow nfsdreplycachestats_show to access it without Oopsing.

Move the initialization of the per-net+per-cpu reply-cache counters back into nfsdinitnet, while leaving the rest of the reply cache allocations to be done at nfsd startup time.

Kudos to Eirik who did most of the legwork to track this down.