CVE-2025-38232

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFSD: fix race between nfsd registration and exports_proc<br /> <br /> As of now nfsd calls create_proc_exports_entry() at start of init_nfsd<br /> and cleanup by remove_proc_entry() at last of exit_nfsd.<br /> <br /> Which causes kernel OOPs if there is race between below 2 operations:<br /> (i) exportfs -r<br /> (ii) mount -t nfsd none /proc/fs/nfsd<br /> <br /> for 5.4 kernel ARM64:<br /> <br /> CPU 1:<br /> el1_irq+0xbc/0x180<br /> arch_counter_get_cntvct+0x14/0x18<br /> running_clock+0xc/0x18<br /> preempt_count_add+0x88/0x110<br /> prep_new_page+0xb0/0x220<br /> get_page_from_freelist+0x2d8/0x1778<br /> __alloc_pages_nodemask+0x15c/0xef0<br /> __vmalloc_node_range+0x28c/0x478<br /> __vmalloc_node_flags_caller+0x8c/0xb0<br /> kvmalloc_node+0x88/0xe0<br /> nfsd_init_net+0x6c/0x108 [nfsd]<br /> ops_init+0x44/0x170<br /> register_pernet_operations+0x114/0x270<br /> register_pernet_subsys+0x34/0x50<br /> init_nfsd+0xa8/0x718 [nfsd]<br /> do_one_initcall+0x54/0x2e0<br /> <br /> CPU 2 :<br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010<br /> <br /> PC is at : exports_net_open+0x50/0x68 [nfsd]<br /> <br /> Call trace:<br /> exports_net_open+0x50/0x68 [nfsd]<br /> exports_proc_open+0x2c/0x38 [nfsd]<br /> proc_reg_open+0xb8/0x198<br /> do_dentry_open+0x1c4/0x418<br /> vfs_open+0x38/0x48<br /> path_openat+0x28c/0xf18<br /> do_filp_open+0x70/0xe8<br /> do_sys_open+0x154/0x248<br /> <br /> Sometimes it crashes at exports_net_open() and sometimes cache_seq_next_rcu().<br /> <br /> and same is happening on latest 6.14 kernel as well:<br /> <br /> [ 0.000000] Linux version 6.14.0-rc5-next-20250304-dirty<br /> ...<br /> [ 285.455918] Unable to handle kernel paging request at virtual address 00001f4800001f48<br /> ...<br /> [ 285.464902] pc : cache_seq_next_rcu+0x78/0xa4<br /> ...<br /> [ 285.469695] Call trace:<br /> [ 285.470083] cache_seq_next_rcu+0x78/0xa4 (P)<br /> [ 285.470488] seq_read+0xe0/0x11c<br /> [ 285.470675] proc_reg_read+0x9c/0xf0<br /> [ 285.470874] vfs_read+0xc4/0x2fc<br /> [ 285.471057] ksys_read+0x6c/0xf4<br /> [ 285.471231] __arm64_sys_read+0x1c/0x28<br /> [ 285.471428] invoke_syscall+0x44/0x100<br /> [ 285.471633] el0_svc_common.constprop.0+0x40/0xe0<br /> [ 285.471870] do_el0_svc_compat+0x1c/0x34<br /> [ 285.472073] el0_svc_compat+0x2c/0x80<br /> [ 285.472265] el0t_32_sync_handler+0x90/0x140<br /> [ 285.472473] el0t_32_sync+0x19c/0x1a0<br /> [ 285.472887] Code: f9400885 93407c23 937d7c27 11000421 (f86378a3)<br /> [ 285.473422] ---[ end trace 0000000000000000 ]---<br /> <br /> It reproduced simply with below script:<br /> while [ 1 ]<br /> do<br /> /exportfs -r<br /> done &amp;<br /> <br /> while [ 1 ]<br /> do<br /> insmod /nfsd.ko<br /> mount -t nfsd none /proc/fs/nfsd<br /> umount /proc/fs/nfsd<br /> rmmod nfsd<br /> done &amp;<br /> <br /> So exporting interfaces to user space shall be done at last and<br /> cleanup at first place.<br /> <br /> With change there is no Kernel OOPs.