diff options
| author | Chuck Lever <chuck.lever@oracle.com> | 2023-11-10 19:28:33 +0300 |
|---|---|---|
| committer | Chuck Lever <chuck.lever@oracle.com> | 2023-11-17 23:12:55 +0300 |
| commit | 1caf5f61dd8430ae5a0b4538afe4953ce7517cbb (patch) | |
| tree | c0fec6f1c00cd6306c68f389cb3200e9843003ae /lib/locking-selftest-rlock.h | |
| parent | 49cecd8628a9855cd993792a0377559ea32d5e7c (diff) | |
| download | linux-1caf5f61dd8430ae5a0b4538afe4953ce7517cbb.tar.xz | |
NFSD: Fix "start of NFS reply" pointer passed to nfsd_cache_update()
The "statp + 1" pointer that is passed to nfsd_cache_update() is
supposed to point to the start of the egress NFS Reply header. In
fact, it does point there for AUTH_SYS and RPCSEC_GSS_KRB5 requests.
But both krb5i and krb5p add fields between the RPC header's
accept_stat field and the start of the NFS Reply header. In those
cases, "statp + 1" points at the extra fields instead of the Reply.
The result is that nfsd_cache_update() caches what looks to the
client like garbage.
A connection break can occur for a number of reasons, but the most
common reason when using krb5i/p is a GSS sequence number window
underrun. When an underrun is detected, the server is obliged to
drop the RPC and the connection to force a retransmit with a fresh
GSS sequence number. The client presents the same XID, it hits in
the server's DRC, and the server returns the garbage cache entry.
The "statp + 1" argument has been used since the oldest changeset
in the kernel history repo, so it has been in nfsd_dispatch()
literally since before history began. The problem arose only when
the server-side GSS implementation was added twenty years ago.
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Tested-by: Jeff Layton <jlayton@kernel.org
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Diffstat (limited to 'lib/locking-selftest-rlock.h')
0 files changed, 0 insertions, 0 deletions