We've had a few hung task reports from syzbot fuzzing the nfsd netlink
control interfaces. We don't have hard evidence of this, but one way
this could happen is for userland to send down a large number of
listening sockets and for them all to get stuck dealing with the
portmapper.
Set RPC_TASK_SOFTCONN unconditionally in rpcb_register_call, instead of
only doing that on set requests or when rpcbind isn't using an AF_LOCAL
socket.
Reported-by: syzbot+e7baeb70aa00c22ed45e@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx>
---
This is a bit of a Hail Mary play, as we don't have any firm evidence
that this is the problem. Still, the scenario seems plausible, and it
doesn't seem to make much sense using different RPC_TASK flags on
rpcbind set and unset operations.
---
net/sunrpc/rpcb_clnt.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/net/sunrpc/rpcb_clnt.c b/net/sunrpc/rpcb_clnt.c
index 102c3818bc54d4f9a1fc5f854c3a841289974869..f0cad9bb0752d51f82733b2f7533f2269b4c69c4 100644
--- a/net/sunrpc/rpcb_clnt.c
+++ b/net/sunrpc/rpcb_clnt.c
@@ -402,14 +402,10 @@ static struct rpc_clnt *rpcb_create(struct net *net, const char *nodename,
static int rpcb_register_call(struct sunrpc_net *sn, struct rpc_clnt *clnt, struct rpc_message *msg, bool is_set)
{
- int flags = RPC_TASK_NOCONNECT;
int error, result = 0;
- if (is_set || !sn->rpcb_is_af_local)
- flags = RPC_TASK_SOFTCONN;
msg->rpc_resp = &result;
-
- error = rpc_call_sync(clnt, msg, flags);
+ error = rpc_call_sync(clnt, msg, RPC_TASK_SOFTCONN);
if (error < 0)
return error;
---
base-commit: 144cb1225cd863e1bd3ae3d577d86e1531afd932
change-id: 20241009-nfsd-next-61aab1221d59
Best regards,
--
Jeff Layton <jlayton@xxxxxxxxxx>
