rpc: fix NULL dereference on kmalloc failure
authorJ. Bruce Fields <bfields@redhat.com>
Tue, 2 Mar 2021 15:48:38 +0000 (10:48 -0500)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 7 Apr 2021 13:00:04 +0000 (15:00 +0200)
commit5fb71b231c4ee23bcf6cc05877e55684523df4fe
tree78391078726819c03cc1d052ef5f21d0f9ad2d03
parent9e9aa1c03c33cd624351a4035f448be34c5ef2d7
rpc: fix NULL dereference on kmalloc failure

[ Upstream commit 0ddc942394013f08992fc379ca04cffacbbe3dae ]

I think this is unlikely but possible:

svc_authenticate sets rq_authop and calls svcauth_gss_accept.  The
kmalloc(sizeof(*svcdata), GFP_KERNEL) fails, leaving rq_auth_data NULL,
and returning SVC_DENIED.

This causes svc_process_common to go to err_bad_auth, and eventually
call svc_authorise.  That calls ->release == svcauth_gss_release, which
tries to dereference rq_auth_data.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Link: https://lore.kernel.org/linux-nfs/3F1B347F-B809-478F-A1E9-0BE98E22B0F0@oracle.com/T/#t
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
net/sunrpc/auth_gss/svcauth_gss.c