do_nfs4_mount() issues a bunch of getattr RPCs before
server->super->s_root is set. If the server replies with an
NFS4ERR_MOVED during that time, nfs4_try_migration is called and
crashes when it tries to dereference s_root.
This problem exists on riscv kernel 5.15 and amd64 5.4.0. I've
attached a demo:
# cc nfs_12.c
# ./a.out
...
[ 16.217793] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030
[ 16.219341] Oops [#1]
[ 16.219811] Modules linked in:
[ 16.220504] CPU: 0 PID: 70 Comm: 127.0.0.1-manag Not tainted 5.15.0-rc7-dirty #47
[ 16.221715] Hardware name: ucbbar,riscvemu-bare (DT)
[ 16.222491] epc : nfs4_try_migration+0x9e/0x13e
[ 16.223367] ra : nfs4_try_migration+0x90/0x13e
[ 16.224234] epc : ffffffff8079a5f8 ra : ffffffff8079a5ea sp : ffffffd000593df0
...
[ 16.236558] status: 0000000200000121 badaddr: 0000000000000030 cause: 000000000000000d
[ 16.237694] [<ffffffff8079a5f8>] nfs4_try_migration+0x9e/0x13e
[ 16.238743] [<ffffffff8023fcfe>] nfs4_run_state_manager+0x438/0x6aa
[ 16.239804] [<ffffffff80025b60>] kthread+0xfe/0x110
[ 16.240690] [<ffffffff80003054>] ret_from_exception+0x0/0xc