From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4F16332D420 for ; Mon, 29 Dec 2025 14:33:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767018824; cv=none; b=FC9+fnCzlgOmTtKf3QwECZ5/wXCBKWb/25wBfFgGi0R6qdIcPhXYz7iH/rXuIa9WhGmZbMPLEZfelP9g43oWKb3VtmHLMBxSPrQQii6nCQ2JseAro0W1qEOP+O/TWzpcxkQ9WLUCeAqOgo0GQj44Ng2bEGLHZ6MoRVe27LUAisQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767018824; c=relaxed/simple; bh=QYCuFJY0eLD6EXtiwMqu/bPmLkztm+B2nw5T+4OZ+nI=; h=Subject:To:Cc:From:Date:Message-ID:MIME-Version:Content-Type; b=bAl2xSJfO2fs6uI56CHvLqARxftUaAN2z2xm4iBS4Kcb6YkSk1e9+4fYst5QuMUkpRVtgpoL8849NWTxVix9BZYbTteRJKIH3tyX+/QyXRbUFdLQZg9etSrwNTcK/aYCLx7hTXuzOEORU/g5idmVoNsG2pwsqULysO82IKCc6Hs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=K0toxkpw; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="K0toxkpw" Received: by smtp.kernel.org (Postfix) with ESMTPSA id BA9C8C4CEF7; Mon, 29 Dec 2025 14:33:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1767018823; bh=QYCuFJY0eLD6EXtiwMqu/bPmLkztm+B2nw5T+4OZ+nI=; h=Subject:To:Cc:From:Date:From; b=K0toxkpwwUyxYnI2xMv1LoeikW94XM0eYndJa80cKg6bMq9JV+FqmO5MzsLRAKvK9 9Nyu8WNLB7To5c2bjSq/5Ymo+dymkStv6vQ+JjvVHJyd/mYuyMptuxA0jJZDI9K0mQ jhcgCZTWVkHDcUjh7qohrpDiEMi3gNqpW0LHpKVg= Subject: FAILED: patch "[PATCH] SUNRPC: svcauth_gss: avoid NULL deref on zero length" failed to apply to 6.1-stable tree To: linux@joshua.hu,chuck.lever@oracle.com Cc: From: Date: Mon, 29 Dec 2025 15:33:40 +0100 Message-ID: <2025122940-ember-smilingly-3df0@gregkh> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to . To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x d4b69a6186b215d2dc1ebcab965ed88e8d41768d # git commit -s git send-email --to '' --in-reply-to '2025122940-ember-smilingly-3df0@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From d4b69a6186b215d2dc1ebcab965ed88e8d41768d Mon Sep 17 00:00:00 2001 From: Joshua Rogers Date: Fri, 7 Nov 2025 10:05:33 -0500 Subject: [PATCH] SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf A zero length gss_token results in pages == 0 and in_token->pages[0] is NULL. The code unconditionally evaluates page_address(in_token->pages[0]) for the initial memcpy, which can dereference NULL even when the copy length is 0. Guard the first memcpy so it only runs when length > 0. Fixes: 5866efa8cbfb ("SUNRPC: Fix svcauth_gss_proxy_init()") Cc: stable@vger.kernel.org Signed-off-by: Joshua Rogers Signed-off-by: Chuck Lever diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c index a8ec30759a18..e2f0df8cdaa6 100644 --- a/net/sunrpc/auth_gss/svcauth_gss.c +++ b/net/sunrpc/auth_gss/svcauth_gss.c @@ -1083,7 +1083,8 @@ static int gss_read_proxy_verf(struct svc_rqst *rqstp, } length = min_t(unsigned int, inlen, (char *)xdr->end - (char *)xdr->p); - memcpy(page_address(in_token->pages[0]), xdr->p, length); + if (length) + memcpy(page_address(in_token->pages[0]), xdr->p, length); inlen -= length; to_offs = length;