• Trond Myklebust's avatar
    SUNRPC: Fix a Oops when destroying the RPCSEC_GSS credential cache · a652a4bc
    Trond Myklebust authored
    Commit 07d02a67 causes a use-after free in the RPCSEC_GSS credential
    destroy code, because the call to get_rpccred() in gss_destroying_context()
    will now always fail to increment the refcount.
    
    While we could just replace the get_rpccred() with a refcount_set(), that
    would have the unfortunate consequence of resurrecting a credential in
    the credential cache for which we are in the process of destroying the
    RPCSEC_GSS context. Rather than do this, we choose to make a copy that
    is never added to the cache and use that to destroy the context.
    
    Fixes: 07d02a67 ("SUNRPC: Simplify lookup code")
    Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
    a652a4bc
auth_gss.c 55.9 KB