Date: Sat, 09 Feb 2019 05:18:36 +0000 From: bugzilla-noreply@freebsd.org To: fs@FreeBSD.org Subject: [Bug 235582] rpc_svc_gss / nfsd kernel panic Message-ID: <bug-235582-3630-Zx8TwAC3f4@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-235582-3630@https.bugs.freebsd.org/bugzilla/> References: <bug-235582-3630@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D235582 Rick Macklem <rmacklem@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #201858|0 |1 is obsolete| | --- Comment #7 from Rick Macklem <rmacklem@FreeBSD.org> --- Created attachment 201862 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D201862&action= =3Dedit updated fix for srv side rpcsec_gss NULL client principal This is an update to the 201858 patch which does a couple of printf()s and no KASSERT(). It uses a local clname instead of the one in client->cl_cname so that any race caused by multiple RPC requests with the same handle and GSS_S_CONTINUE_INIT will be handled. (gss_release_name() sets client->cl_cname NULL and that could have resulted in the crash if multiple RPCs were received and handled concurrently as above.) I didn't think that gss_accept_sec_context() ever returned GSS_S_CONTINUE_INIT for Kerberos mechanism, but I could be wrong on this and if this does happen and the client erroneously sends the next token RPC twice, it could try to use client->cl_cname after it is set NULL by the gss_release_name() for the previous RPC message. The printf()s should tell us more about how the NULL cname happens. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-235582-3630-Zx8TwAC3f4>