[BUG] After unloading the nfsd module, a use-after-free occurred due to Objects remaining on __kmem_cache

김강민

unread,

Oct 11, 2025, 4:20:03 PM (7 days ago) Oct 11

to chuck...@oracle.com, jla...@kernel.org, ne...@brown.name, okor...@redhat.com, Dai...@oracle.com, t...@talpey.com, linu...@vger.kernel.org, linux-...@vger.kernel.org, syzk...@googlegroups.com

Dear Linux kernel developers and maintainers,

Hello,
This bug was discovered through syzkaller.

Kernel driver involved: nfsd

Version detected by syzkaller:
- Commit version: cd5a0afbdf8033dc83786315d63f8b325bdba2fd

Details
If the test driver is forcibly unloaded, objects remain in memory,
which can later lead to issues such as use-after-free.
Additionally, This issue can be easily reproduced with the following command.
$ sudo rmmod -f nfsd
Note: Since the nfsd service is running internally with open ports and
mounted shares, it may affect this issue. Therefore, the boot log is
attached as a file.

Please let me know if any further information is required.

Best Regards,
GangMin Kim.

bug_report.txt

crepro.c

kernel_log.txt

.config

Chuck Lever

unread,

Oct 11, 2025, 6:19:19 PM (7 days ago) Oct 11

to 김강민, jla...@kernel.org, ne...@brown.name, okor...@redhat.com, Dai...@oracle.com, t...@talpey.com, linu...@vger.kernel.org, linux-...@vger.kernel.org, syzk...@googlegroups.com

On 10/11/25 4:19 PM, 김강민 wrote:
> Dear Linux kernel developers and maintainers,
>
> Hello,
> This bug was discovered through syzkaller.
>
> Kernel driver involved: nfsd
>
> Version detected by syzkaller:
> - Commit version: cd5a0afbdf8033dc83786315d63f8b325bdba2fd

In my Linux kernel repo, commit cd5a0a is not related to NFSD:

cel@oracle-102:~/src/linux/for-korg$ git show
cd5a0afbdf8033dc83786315d63f8b325bdba2fd
commit cd5a0afbdf8033dc83786315d63f8b325bdba2fd
Merge: ed4d6e92463e 3f39f5652037
Author: Linus Torvalds <torv...@linux-foundation.org>
AuthorDate: Wed Oct 8 11:44:21 2025 -0700
Commit: Linus Torvalds <torv...@linux-foundation.org>
CommitDate: Wed Oct 8 11:44:21 2025 -0700

Merge tag 'mailbox-v6.18' of
git://git.kernel.org/pub/scm/linux/kernel/git/jassibrar/mailbox

Pull mailbox updates from Jassi Brar:

Would it be possible for you to bisect the failure?

> Details
> If the test driver is forcibly unloaded, objects remain in memory,
> which can later lead to issues such as use-after-free.
> Additionally, This issue can be easily reproduced with the following command.
> $ sudo rmmod -f nfsd
> Note: Since the nfsd service is running internally with open ports and
> mounted shares, it may affect this issue. Therefore, the boot log is
> attached as a file.
>
> Please let me know if any further information is required.
>
> Best Regards,
> GangMin Kim.

--
Chuck Lever

NeilBrown

unread,

Oct 12, 2025, 8:25:59 AM (6 days ago) Oct 12

to 김강민, chuck...@oracle.com, jla...@kernel.org, okor...@redhat.com, Dai...@oracle.com, t...@talpey.com, linu...@vger.kernel.org, linux-...@vger.kernel.org, syzk...@googlegroups.com

On Sun, 12 Oct 2025, 김강민 wrote:
> Dear Linux kernel developers and maintainers,
>
> Hello,
> This bug was discovered through syzkaller.

I don't think this is a bug.
Passing O_TRUNC to delete_module(), or passing -f to rmmod is documented
a "dangerous" and "extremely dangerous" respectively.

If you do something that is dangerous, you should expect bad things to
happen.

Presumably the nfsd exit_module function is failing because something is
still in use - as it is allowed to do - and the module is being removed
anyway.

i.e. the "bug" report is invalid.

NeilBrown

Reply all

Reply to author

Forward

[BUG] After unloading the nfsd module, a use-after-free occurred due to Objects remaining on __kmem_cache_shutdown().

김강민

Chuck Lever

NeilBrown