Commit f2d47d02 authored by J. Bruce Fields's avatar J. Bruce Fields Committed by Trond Myklebust

Fix null dereference in call_allocate

In call_allocate we need to reach the auth in order to factor au_cslack
into the allocation.

As of a17c2153 "SUNRPC: Move the bound
cred to struct rpc_rqst", call_allocate attempts to do this by
dereferencing tk_client->cl_auth, however this is not guaranteed to be
defined--cl_auth can be zero in the case of gss context destruction (see
rpc_free_auth).

Reorder the client state machine to bind credentials before allocating,
so that we can instead reach the auth through the cred.
Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
Cc: stable@kernel.org
parent 49553c2e
...@@ -931,7 +931,7 @@ call_reserveresult(struct rpc_task *task) ...@@ -931,7 +931,7 @@ call_reserveresult(struct rpc_task *task)
task->tk_status = 0; task->tk_status = 0;
if (status >= 0) { if (status >= 0) {
if (task->tk_rqstp) { if (task->tk_rqstp) {
task->tk_action = call_allocate; task->tk_action = call_refresh;
return; return;
} }
...@@ -972,7 +972,7 @@ call_reserveresult(struct rpc_task *task) ...@@ -972,7 +972,7 @@ call_reserveresult(struct rpc_task *task)
static void static void
call_allocate(struct rpc_task *task) call_allocate(struct rpc_task *task)
{ {
unsigned int slack = task->tk_client->cl_auth->au_cslack; unsigned int slack = task->tk_rqstp->rq_cred->cr_auth->au_cslack;
struct rpc_rqst *req = task->tk_rqstp; struct rpc_rqst *req = task->tk_rqstp;
struct rpc_xprt *xprt = task->tk_xprt; struct rpc_xprt *xprt = task->tk_xprt;
struct rpc_procinfo *proc = task->tk_msg.rpc_proc; struct rpc_procinfo *proc = task->tk_msg.rpc_proc;
...@@ -980,7 +980,7 @@ call_allocate(struct rpc_task *task) ...@@ -980,7 +980,7 @@ call_allocate(struct rpc_task *task)
dprint_status(task); dprint_status(task);
task->tk_status = 0; task->tk_status = 0;
task->tk_action = call_refresh; task->tk_action = call_bind;
if (req->rq_buffer) if (req->rq_buffer)
return; return;
...@@ -1042,7 +1042,7 @@ call_refreshresult(struct rpc_task *task) ...@@ -1042,7 +1042,7 @@ call_refreshresult(struct rpc_task *task)
dprint_status(task); dprint_status(task);
task->tk_status = 0; task->tk_status = 0;
task->tk_action = call_bind; task->tk_action = call_allocate;
if (status >= 0 && rpcauth_uptodatecred(task)) if (status >= 0 && rpcauth_uptodatecred(task))
return; return;
switch (status) { switch (status) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment