On Fri, Nov 20, 2015 at 11:56 AM, Benjamin Coddington <bcodding@xxxxxxxxxx> wrote: > On Fri, 20 Nov 2015, Trond Myklebust wrote: > >> Hi Ben, >> >> On Fri, Nov 20, 2015 at 9:56 AM, Benjamin Coddington >> <bcodding@xxxxxxxxxx> wrote: >> > >> > If clp->cl_cb_ident is zero, then nfs_cb_idr_remove_locked() skips removing >> > it when the nfs_client is freed. A decoding or server bug can then find >> > and try to put that first nfs_client which would lead to a crash. >> >> Thanks for fixing! >> Have you ever seen such a crash in the wild? IOW: is this something we >> should consider for stable? > > Yes, there's a server that sometimes sends truncated cb_compounds, and this > bug is hit if we continue decoding 0's past the end of received data since > cb_ident ends up being 0. Both fixes I sent today are trying to handle that > particular behavior. > OK. I'll mark both for stable inclusion then. Thanks! -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
