Fix null dereference in call_allocate (f2d47d02) · Commits · 戴 / test

In call_allocate we need to reach the auth in order to factor au_cslack into the allocation. As of "SUNRPC: Move the bound cred to struct rpc_rqst", call_allocate attempts to do this by dereferencing tk_client->cl_auth, however this is not guaranteed to be defined--cl_auth can be zero in the case of gss context destruction (see rpc_free_auth). Reorder the client state machine to bind credentials before allocating, so that we can instead reach the auth through the cred. Signed-off-by:

J. Bruce Fields <bfields@redhat.com> Signed-off-by:

Trond Myklebust <Trond.Myklebust@netapp.com> Cc: stable@kernel.org

net/sunrpc/clnt.c

+4 −4

Original line number	Diff line number	Diff line
		@@ -931,7 +931,7 @@ call_reserveresult(struct rpc_task *task)
		task->tk_status = 0;
		if (status >= 0) {
		if (task->tk_rqstp) {
		task->tk_action = call_allocate;
		task->tk_action = call_refresh;
		return;
		}

		@@ -972,7 +972,7 @@ call_reserveresult(struct rpc_task *task)
		static void
		call_allocate(struct rpc_task *task)
		{
		unsigned int slack = task->tk_client->cl_auth->au_cslack;
		unsigned int slack = task->tk_rqstp->rq_cred->cr_auth->au_cslack;
		struct rpc_rqst *req = task->tk_rqstp;
		struct rpc_xprt *xprt = task->tk_xprt;
		struct rpc_procinfo *proc = task->tk_msg.rpc_proc;
		@@ -980,7 +980,7 @@ call_allocate(struct rpc_task *task)
		dprint_status(task);

		task->tk_status = 0;
		task->tk_action = call_refresh;
		task->tk_action = call_bind;

		if (req->rq_buffer)
		return;
		@@ -1042,7 +1042,7 @@ call_refreshresult(struct rpc_task *task)
		dprint_status(task);

		task->tk_status = 0;
		task->tk_action = call_bind;
		task->tk_action = call_allocate;
		if (status >= 0 && rpcauth_uptodatecred(task))
		return;
		switch (status) {

Admin message