On Wed, 2023-01-11 at 07:33 -0500, Jeff Layton wrote: > > One thing that might interesting to rule out a UAF would be to > explicitly poison this struct in nfsd_exit_net. Basically do something > like this at the end of exit_net: > > memset(net, 0x7c, sizeof(*net)); > > That might help trigger an oops sooner after the problem occurs. Blasting net rendered the VM non-booting. Blasting nn OTOH seems to have changed nothing at all. > If you're feeling ambitious, another thing you could do is track down > some of the running nfsd's in the vmcore, find their rqstp values and > see whether the sockets are pointed at the same nfsd_net as the one you > found above (see nfsd() function to see how to get from one to the > other). > > If they're pointed at a different nfsd_net that that would suggest that > we are looking at a UAF. If it's the same nfsd_net, then I'd lean more > toward some sort of memory scribble. Way better: scrawny NFS chimp hands dump to big/strong NFS gorilla :) -Mike
