Re: [PATCHv3] sunrpc/auth_gss: NULL pointer deref in gss_pipe_release()

From: Alex Polvi
Date: Mon Aug 14 2006 - 20:07:21 EST

On 8/14/06, Trond Myklebust <trond.myklebust@xxxxxxxxxx> wrote:
On Mon, 2006-08-14 at 16:34 -0400, Alex Polvi wrote:
> On 8/14/06, Alex Polvi <polvi@xxxxxxxxxx> wrote:
> > Here is another fix. It is quite silly, but clnt->cl_auth is set to
> > NULL in rpc_destroy_client(), then eventually referenced in
> > gss_release_pipe() via rpc_rmdir(). Simply removing the clnt->cl_auth
> > = NULL from clnt.c fixes the issue. I'm still trying to understand the
> > subsystem, but it seems like rpc_rmdir is being correctly called to
> > clean up because of the weirdness with umount -l and the nfs server
> > being turned on and off. Does that seem correct? Or is this still just
> > covering up some other part of the code being sloppy cleaning up?
> Also, I just want to make it clear that I do not think this is the
> proper fix. It is just pointing out that we intentionally set cl_auth
> to NULL, then reference it.

OK. I think I've finally managed to clean up the various interactions
with rpc_pipefs. I've uploaded a series of patches on the NFS client
website. See

The relevant patches are


From: Trond Myklebust <Trond.Myklebust@xxxxxxxxxx>

SUNRPC: make rpc_unlink() take a dentry argument instead of a

Signe-off-by: Trond Myklebust <Trond.Myklebust@xxxxxxxxxx>


From: Trond Myklebust <Trond.Myklebust@xxxxxxxxxx>

NFS: clean up rpc_rmdir

Make it take a dentry argument instead of a path

Signed-off-by: Trond Myklebust <Trond.Myklebust@xxxxxxxxxx>


From: Trond Myklebust <Trond.Myklebust@xxxxxxxxxx>

SUNRPC: rpc_unlink() must check for unhashed dentries

A prior call to rpc_depopulate() by rpc_rmdir() on the parent
directory may have already called simple_unlink() on this entry.
Add the same check to rpc_rmdir(). Also remove a redundant call
to rpc_close_pipes() in rpc_rmdir.

Signed-off-by: Trond Myklebust <Trond.Myklebust@xxxxxxxxxx>


From: Trond Myklebust <Trond.Myklebust@xxxxxxxxxx>

SUNRPC: Fix dentry refcounting issues with users of rpc_pipefs

rpc_unlink() and rpc_rmdir() will dput the dentry reference for

Signed-off-by: Trond Myklebust <Trond.Myklebust@xxxxxxxxxx>

Wooohooooo!!!! I can confirm that it fixes my testcase. I'll let you
know if I run into any problems.

Thanks again for all your help figuring this one out!

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at