In the Linux kernel, the following vulnerability has been resolved:
NFSD: fix race between nfsd registration and exports_proc
As of now nfsd calls createprocexportsentry() at start of initnfsd and cleanup by removeprocentry() at last of exit_nfsd.
Which causes kernel OOPs if there is race between below 2 operations: (i) exportfs -r (ii) mount -t nfsd none /proc/fs/nfsd
for 5.4 kernel ARM64:
CPU 1: el1irq+0xbc/0x180 archcountergetcntvct+0x14/0x18 runningclock+0xc/0x18 preemptcountadd+0x88/0x110 prepnewpage+0xb0/0x220 getpagefromfreelist+0x2d8/0x1778 _allocpagesnodemask+0x15c/0xef0 _vmallocnoderange+0x28c/0x478 _vmallocnodeflagscaller+0x8c/0xb0 kvmallocnode+0x88/0xe0 nfsdinitnet+0x6c/0x108 [nfsd] opsinit+0x44/0x170 registerpernetoperations+0x114/0x270 registerpernetsubsys+0x34/0x50 initnfsd+0xa8/0x718 [nfsd] doone_initcall+0x54/0x2e0
CPU 2 : Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
PC is at : exportsnetopen+0x50/0x68 [nfsd]
Call trace: exportsnetopen+0x50/0x68 [nfsd] exportsprocopen+0x2c/0x38 [nfsd] procregopen+0xb8/0x198 dodentryopen+0x1c4/0x418 vfsopen+0x38/0x48 pathopenat+0x28c/0xf18 dofilpopen+0x70/0xe8 dosysopen+0x154/0x248
Sometimes it crashes at exportsnetopen() and sometimes cacheseqnext_rcu().
and same is happening on latest 6.14 kernel as well:
[ 0.000000] Linux version 6.14.0-rc5-next-20250304-dirty ... [ 285.455918] Unable to handle kernel paging request at virtual address 00001f4800001f48 ... [ 285.464902] pc : cacheseqnextrcu+0x78/0xa4 ... [ 285.469695] Call trace: [ 285.470083] cacheseqnextrcu+0x78/0xa4 (P) [ 285.470488] seqread+0xe0/0x11c [ 285.470675] procregread+0x9c/0xf0 [ 285.470874] vfsread+0xc4/0x2fc [ 285.471057] ksysread+0x6c/0xf4 [ 285.471231] _arm64sysread+0x1c/0x28 [ 285.471428] invokesyscall+0x44/0x100 [ 285.471633] el0svccommon.constprop.0+0x40/0xe0 [ 285.471870] doel0svccompat+0x1c/0x34 [ 285.472073] el0svccompat+0x2c/0x80 [ 285.472265] el0t32synchandler+0x90/0x140 [ 285.472473] el0t32_sync+0x19c/0x1a0 [ 285.472887] Code: f9400885 93407c23 937d7c27 11000421 (f86378a3) [ 285.473422] ---[ end trace 0000000000000000 ]---
It reproduced simply with below script: while [ 1 ] do /exportfs -r done &
while [ 1 ] do insmod /nfsd.ko mount -t nfsd none /proc/fs/nfsd umount /proc/fs/nfsd rmmod nfsd done &
So exporting interfaces to user space shall be done at last and cleanup at first place.
With change there is no Kernel OOPs.