On Thu, Jan 28, 2021 at 09:35:27PM -0500, bfields@xxxxxxxxxxxx wrote: > Note that this patch doesn't prevent an application from setting a > zero-length ACL. The xattr format is XDR with the first four bytes > representing the number of ACEs, so you'd set a zero-length ACL by > passing down a 4-byte all-zero buffer as the new value of the > system.nfs4_acl xattr. > > A zero-length NULL buffer is what's used to implement removexattr: > > int > __vfs_removexattr(struct dentry *dentry, const char *name) > { > ... > return handler->set(handler, dentry, inode, name, NULL, 0, XATTR_REPLACE); > } > > That's the case this patch covers. So, I should have said in the changelog, apologies--the behavior without this patch is that when it gets a removexattr, the client sends a SETATTR with a bitmap claiming there's an ACL attribute, but a zero-length attribute value list, and the server (correctly) returns BADXDR. --b.