From: Chuck Lever chuck.lever@oracle.com
On Thu, 19 Jun 2025 06:01:55 -0400, Jeff Layton wrote:
tianshuo han reported a remotely-triggerable crash if the client sends a kernel RPC server a specially crafted packet. If decoding the RPC reply fails in such a way that SVC_GARBAGE is returned without setting the rq_accept_statp pointer, then that pointer can be dereferenced and a value stored there.
If it's the first time the thread has processed an RPC, then that pointer will be set to NULL and the kernel will crash. In other cases, it could create a memory scribble.
[...]
Yesterday's version passed overnight CI testing.
Applied to nfsd-fixes, thanks!
[1/1] sunrpc: handle SVC_GARBAGE during svc auth processing as auth error commit: 92c2969bcd57272698d5aae037f55481dcb11f2d
-- Chuck Lever