do_nfs4_mount() issues a bunch of getattr RPCs before server->super->s_root is set. If the server replies with an NFS4ERR_MOVED during that time, nfs4_try_migration is called and crashes when it tries to dereference s_root. This problem exists on riscv kernel 5.15 and amd64 5.4.0. I've attached a demo: # cc nfs_12.c # ./a.out ... [ 16.217793] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030 [ 16.219341] Oops [#1] [ 16.219811] Modules linked in: [ 16.220504] CPU: 0 PID: 70 Comm: 127.0.0.1-manag Not tainted 5.15.0-rc7-dirty #47 [ 16.221715] Hardware name: ucbbar,riscvemu-bare (DT) [ 16.222491] epc : nfs4_try_migration+0x9e/0x13e [ 16.223367] ra : nfs4_try_migration+0x90/0x13e [ 16.224234] epc : ffffffff8079a5f8 ra : ffffffff8079a5ea sp : ffffffd000593df0 ... [ 16.236558] status: 0000000200000121 badaddr: 0000000000000030 cause: 000000000000000d [ 16.237694] [<ffffffff8079a5f8>] nfs4_try_migration+0x9e/0x13e [ 16.238743] [<ffffffff8023fcfe>] nfs4_run_state_manager+0x438/0x6aa [ 16.239804] [<ffffffff80025b60>] kthread+0xfe/0x110 [ 16.240690] [<ffffffff80003054>] ret_from_exception+0x0/0xc
Attachment:
nfs_12.c
Description: Binary data
