On Wed, 2023-01-11 at 07:33 -0500, Jeff Layton wrote:

One thing that might interesting to rule out a UAF would be to
explicitly poison this struct in nfsd_exit_net. Basically do something
like this at the end of exit_net:

        memset(net, 0x7c, sizeof(*net));

That might help trigger an oops sooner after the problem occurs.

Blasting net rendered the VM non-booting.  Blasting nn OTOH seems to
have changed nothing at all.

If you're feeling ambitious, another thing you could do is track down
some of the running nfsd's in the vmcore, find their rqstp values and
see whether the sockets are pointed at the same nfsd_net as the one you
found above (see nfsd() function to see how to get from one to the
other).

If they're pointed at a different nfsd_net that that would suggest that
we are looking at a UAF. If it's the same nfsd_net, then I'd lean more
toward some sort of memory scribble.

Way better: scrawny NFS chimp hands dump to big/strong NFS gorilla :)

	-Mike