Re: [PATCH] sunrpc: handle SVC_GARBAGE during svc auth processing as auth error

From: Chuck Lever
Date: Thu Jun 19 2025 - 09:18:33 EST

Next message: jiang.kun2: "[PATCH linux next] tools/accounting/delaytop: add delaytop to record top-n task delay"
Previous message: Yao Zi: "Re: [PATCH v2 0/8] Add clock support for Loongson 2K0300 SoC"
In reply to: Jeff Layton: "[PATCH] sunrpc: handle SVC_GARBAGE during svc auth processing as auth error"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Chuck Lever <chuck.lever@xxxxxxxxxx>

On Thu, 19 Jun 2025 06:01:55 -0400, Jeff Layton wrote:
> tianshuo han reported a remotely-triggerable crash if the client sends a
> kernel RPC server a specially crafted packet. If decoding the RPC reply
> fails in such a way that SVC_GARBAGE is returned without setting the
> rq_accept_statp pointer, then that pointer can be dereferenced and a
> value stored there.
>
> If it's the first time the thread has processed an RPC, then that
> pointer will be set to NULL and the kernel will crash. In other cases,
> it could create a memory scribble.
>
> [...]

Yesterday's version passed overnight CI testing.

Applied to nfsd-fixes, thanks!

[1/1] sunrpc: handle SVC_GARBAGE during svc auth processing as auth error
commit: 92c2969bcd57272698d5aae037f55481dcb11f2d

--
Chuck Lever

Next message: jiang.kun2: "[PATCH linux next] tools/accounting/delaytop: add delaytop to record top-n task delay"
Previous message: Yao Zi: "Re: [PATCH v2 0/8] Add clock support for Loongson 2K0300 SoC"
In reply to: Jeff Layton: "[PATCH] sunrpc: handle SVC_GARBAGE during svc auth processing as auth error"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]