CVE-2025-38232

EUVD-2025-20024
In the Linux kernel, the following vulnerability has been resolved:

NFSD: fix race between nfsd registration and exports_proc

As of now nfsd calls create_proc_exports_entry() at start of init_nfsd
and cleanup by remove_proc_entry() at last of exit_nfsd.

Which causes kernel OOPs if there is race between below 2 operations:
(i) exportfs -r
(ii) mount -t nfsd none /proc/fs/nfsd

for 5.4 kernel ARM64:

CPU 1:
el1_irq+0xbc/0x180
arch_counter_get_cntvct+0x14/0x18
running_clock+0xc/0x18
preempt_count_add+0x88/0x110
prep_new_page+0xb0/0x220
get_page_from_freelist+0x2d8/0x1778
__alloc_pages_nodemask+0x15c/0xef0
__vmalloc_node_range+0x28c/0x478
__vmalloc_node_flags_caller+0x8c/0xb0
kvmalloc_node+0x88/0xe0
nfsd_init_net+0x6c/0x108 [nfsd]
ops_init+0x44/0x170
register_pernet_operations+0x114/0x270
register_pernet_subsys+0x34/0x50
init_nfsd+0xa8/0x718 [nfsd]
do_one_initcall+0x54/0x2e0

CPU 2 :
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010

PC is at : exports_net_open+0x50/0x68 [nfsd]

Call trace:
exports_net_open+0x50/0x68 [nfsd]
exports_proc_open+0x2c/0x38 [nfsd]
proc_reg_open+0xb8/0x198
do_dentry_open+0x1c4/0x418
vfs_open+0x38/0x48
path_openat+0x28c/0xf18
do_filp_open+0x70/0xe8
do_sys_open+0x154/0x248

Sometimes it crashes at exports_net_open() and sometimes cache_seq_next_rcu().

and same is happening on latest 6.14 kernel as well:

[    0.000000] Linux version 6.14.0-rc5-next-20250304-dirty
...
[  285.455918] Unable to handle kernel paging request at virtual address 00001f4800001f48
...
[  285.464902] pc : cache_seq_next_rcu+0x78/0xa4
...
[  285.469695] Call trace:
[  285.470083]  cache_seq_next_rcu+0x78/0xa4 (P)
[  285.470488]  seq_read+0xe0/0x11c
[  285.470675]  proc_reg_read+0x9c/0xf0
[  285.470874]  vfs_read+0xc4/0x2fc
[  285.471057]  ksys_read+0x6c/0xf4
[  285.471231]  __arm64_sys_read+0x1c/0x28
[  285.471428]  invoke_syscall+0x44/0x100
[  285.471633]  el0_svc_common.constprop.0+0x40/0xe0
[  285.471870]  do_el0_svc_compat+0x1c/0x34
[  285.472073]  el0_svc_compat+0x2c/0x80
[  285.472265]  el0t_32_sync_handler+0x90/0x140
[  285.472473]  el0t_32_sync+0x19c/0x1a0
[  285.472887] Code: f9400885 93407c23 937d7c27 11000421 (f86378a3)
[  285.473422] ---[ end trace 0000000000000000 ]---

It reproduced simply with below script:
while [ 1 ]
do
/exportfs -r
done &

while [ 1 ]
do
insmod /nfsd.ko
mount -t nfsd none /proc/fs/nfsd
umount /proc/fs/nfsd
rmmod nfsd
done &

So exporting interfaces to user space shall be done at last and
cleanup at first place.

With change there is no Kernel OOPs.
Race Condition
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.7 MEDIUM
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
𝑥
< 6.12.35
linuxlinux_kernel
6.13 ≤
𝑥
< 6.15.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.170-3
fixed
bookworm (security)
6.1.176-1
fixed
bullseye
vulnerable
bullseye (security)
vulnerable
forky
7.0.13-1
fixed
sid
7.1.3-1
fixed
trixie
6.12.86-1
fixed
trixie (security)
6.12.95-1
fixed
linux-6.1
bullseye (security)
6.1.176-1~deb11u1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
bpftool
Amazon Linux 2023
0:6.12.35-55.103.amzn2023
fixed
bpftool-debuginfo
Amazon Linux 2023
0:6.12.35-55.103.amzn2023
fixed
kernel-devel
Amazon Linux 2023
0:6.12.35-55.103.amzn2023
fixed
kernel-headers
Amazon Linux 2023
0:6.12.35-55.103.amzn2023
fixed
kernel-libbpf
Amazon Linux 2023
0:6.12.35-55.103.amzn2023
fixed
kernel-libbpf-debuginfo
Amazon Linux 2023
0:6.12.35-55.103.amzn2023
fixed
kernel-libbpf-devel
Amazon Linux 2023
0:6.12.35-55.103.amzn2023
fixed
kernel-libbpf-static
Amazon Linux 2023
0:6.12.35-55.103.amzn2023
fixed
kernel-livepatch-6.12.35-55.103
Amazon Linux 2023
0:1.0-0.amzn2023
fixed
kernel-modules-extra-common
Amazon Linux 2023
0:6.12.35-55.103.amzn2023
fixed
kernel-tools
Amazon Linux 2023
0:6.12.35-55.103.amzn2023
fixed
kernel-tools-debuginfo
Amazon Linux 2023
0:6.12.35-55.103.amzn2023
fixed
kernel-tools-devel
Amazon Linux 2023
0:6.12.35-55.103.amzn2023
fixed
kernel6.12
Amazon Linux 2023
0:6.12.35-55.103.amzn2023
fixed
kernel6.12-debuginfo
Amazon Linux 2023
0:6.12.35-55.103.amzn2023
fixed
kernel6.12-debuginfo-common-aarch64
Amazon Linux 2023
0:6.12.35-55.103.amzn2023
fixed
kernel6.12-debuginfo-common-x86_64
Amazon Linux 2023
0:6.12.35-55.103.amzn2023
fixed
kernel6.12-modules-extra
Amazon Linux 2023
0:6.12.35-55.103.amzn2023
fixed
perf6.12
Amazon Linux 2023
0:6.12.35-55.103.amzn2023
fixed
perf6.12-debuginfo
Amazon Linux 2023
0:6.12.35-55.103.amzn2023
fixed
python3-perf6.12
Amazon Linux 2023
0:6.12.35-55.103.amzn2023
fixed
python3-perf6.12-debuginfo
Amazon Linux 2023
0:6.12.35-55.103.amzn2023
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
kernel
Azure Linux 3.0
0:6.6.126.1-1.azl3
fixed