Re: [BUG] After unloading the nfsd module, a use-after-free occurred due to Objects remaining on __kmem_cache_shutdown().

Next message: Li,Rongqing: " RE: [&#x5916;&#x90E8;&#x90AE;&#x4EF6;] Re: [PATCH][v2] hung_task: Panic after fixed number of hung tasks"
Previous message: Hillf Danton: "Re: [syzbot] [bpf?] [net?] WARNING in sock_map_delete_elem (2)"
In reply to: Chuck Lever: "Re: [BUG] After unloading the nfsd module, a use-after-free occurred due to Objects remaining on __kmem_cache_shutdown()."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: NeilBrown

Date: Sat Oct 11 2025 - 19:55:23 EST

On Sun, 12 Oct 2025, 김강민 wrote:
> Dear Linux kernel developers and maintainers,
>
> Hello,
> This bug was discovered through syzkaller.

I don't think this is a bug.
Passing O_TRUNC to delete_module(), or passing -f to rmmod is documented
a "dangerous" and "extremely dangerous" respectively.

If you do something that is dangerous, you should expect bad things to
happen.

Presumably the nfsd exit_module function is failing because something is
still in use - as it is allowed to do - and the module is being removed
anyway.

i.e. the "bug" report is invalid.

NeilBrown

>
> Kernel driver involved: nfsd
>
> Version detected by syzkaller:
> - Commit version: cd5a0afbdf8033dc83786315d63f8b325bdba2fd
>
> Details
> If the test driver is forcibly unloaded, objects remain in memory,
> which can later lead to issues such as use-after-free.
> Additionally, This issue can be easily reproduced with the following command.
> $ sudo rmmod -f nfsd
> Note: Since the nfsd service is running internally with open ports and
> mounted shares, it may affect this issue. Therefore, the boot log is
> attached as a file.
>
> Please let me know if any further information is required.
>
> Best Regards,
> GangMin Kim.
>