This small patchset fixes a kernel crash when the rpcgss_context trace event is enabled and IO is in flight when a kerberos ticket expires. The crash occurs because the acceptor name may be 0 bytes long and the gss_fill_context() function does not handle it properly. This causes the ctx->gc_acceptor.data to be ZERO_SIZE_PTR which is not properly recognized by the tracepoint code. The first patch is a simple refactor and eliminates duplicate helper functions related to the crash. The second patch is the actual fix inside one of the helper functions due to the definition of an opaque XDR object. This object is defined in RFC 4506 (see section 4.10), where 'length' is an integer in a range including 0. Reproducer # Enable the tracepoint and mount the share trace-cmd start -e rpcgss:* mount -osec=krb5 nfs-server:/export /mnt/nfs # Obtain a kerberos ticket # Set ticket lifetime to something small like 20 seconds su test -c "kinit -l 20 test" # Sleep for a portion of the ticket lifetime so we are writing while the ticket expires sleep 10 # Now run some IO long enough that the ticket expires midway dd if=/dev/urandom of=/mnt/nfs/file bs=1M count=100 Dave Wysochanski (2): SUNRPC: Move simple_get_bytes and simple_get_netobj into xdr.h SUNRPC: Handle 0 length opaque XDR object data properly include/linux/sunrpc/xdr.h | 33 +++++++++++++++++++++++++++-- net/sunrpc/auth_gss/auth_gss.c | 29 ------------------------- net/sunrpc/auth_gss/gss_krb5_mech.c | 29 ------------------------- 3 files changed, 31 insertions(+), 60 deletions(-) -- 2.25.2
