From: Chuck Lever <chuck.lever@xxxxxxxxxx>
On Thu, 19 Jun 2025 06:01:55 -0400, Jeff Layton wrote:
> tianshuo han reported a remotely-triggerable crash if the client sends a
> kernel RPC server a specially crafted packet. If decoding the RPC reply
> fails in such a way that SVC_GARBAGE is returned without setting the
> rq_accept_statp pointer, then that pointer can be dereferenced and a
> value stored there.
>
> If it's the first time the thread has processed an RPC, then that
> pointer will be set to NULL and the kernel will crash. In other cases,
> it could create a memory scribble.
>
> [...]
Yesterday's version passed overnight CI testing.
Applied to nfsd-fixes, thanks!
[1/1] sunrpc: handle SVC_GARBAGE during svc auth processing as auth error
commit: 92c2969bcd57272698d5aae037f55481dcb11f2d
--
Chuck Lever
