Bug#1126520: marked as done (nfs-ganesha: NULL RPC over UDP causes denial of service)

Debian Bug Tracking System Wed, 28 Jan 2026 23:34:31 -0800

Your message dated Wed, 28 Jan 2026 16:20:02 -0800
with message-id <[email protected]>
and subject line Re: nfs-ganesha: NULL RPC over UDP causes denial of service
has caused the Debian Bug report #1126520,
regarding nfs-ganesha: NULL RPC over UDP causes denial of service
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1126520: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126520
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: nfs-ganesha
Version: 6.5-5
Severity: important
Tags: patch upstream
X-Debbugs-Cc: [email protected]

NFS-Ganesha suddenly starts to consume CPU time, and repeats this log message 
in a loop:

`rpc :TIRPC :EVENT :svc_dg_rendezvous: Bad message sa_family is 0xffff`

This continues until the NFS-Ganesha service is restarted.

There's an upstream report that this behaviour is triggered by receiving a NULL 
RPC over UDP. A patch has been merged into newer NFS-Ganesha versions, but not 
yet backported into Debian:

- https://github.com/nfs-ganesha/ntirpc/issues/326
- https://github.com/nfs-ganesha/ntirpc/pull/318

-- System Information:
Debian Release: 13.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.12.57+deb13-cloud-amd64 (SMP w/12 CPU threads; PREEMPT)

diff --git a/ntirpc/rpc/svc.h b/ntirpc/rpc/svc.h
index e53d5d695..748660828 100644
--- a/ntirpc/rpc/svc.h
+++ b/ntirpc/rpc/svc.h
@@ -562,9 +562,12 @@ static inline void svc_destroy_it(SVCXPRT *xprt,
                (*(xprt)->xp_ops->xp_unref_user_data)(xprt);
        }
 
-       /* Let's shutdown the sockets so that FIN-ACK could be sent to the
-        * client immediately. */
-       if (xprt->xp_fd != RPC_ANYFD) {
+       /* Check if the connection was already set as dead or closed,
+        * If set, let's cleanup and close the FDs, so that FIN-ACK
+        * could be sent to the client immediately.
+        * Also for UDP xprt, this is never set, needn't enter here */
+       if ((atomic_fetch_uint16_t(&xprt->xp_flags) & SVC_XPRT_FLAG_CLOSE)
+           && xprt->xp_fd != RPC_ANYFD) {
                (void)shutdown(xprt->xp_fd, SHUT_RDWR);
                if (xprt->xp_fd_send != RPC_ANYFD)
                        (void)shutdown(xprt->xp_fd_send, SHUT_RDWR);
diff --git a/src/svc_dg.c b/src/svc_dg.c
index d3c7e8c00..59c614bb9 100644
--- a/src/svc_dg.c
+++ b/src/svc_dg.c
@@ -255,7 +255,7 @@ svc_dg_rendezvous(SVCXPRT *xprt)
        su->su_dr.maxrec = req_su->su_dr.maxrec;
        svc_dg_override_ops(newxprt, xprt);
 
- again:
+again:
        iov.iov_base = &su[1];
        iov.iov_len = su->su_dr.maxrec;
        mesgp = &su->su_msghdr;
@@ -281,21 +281,21 @@ svc_dg_rendezvous(SVCXPRT *xprt)
                return (XPRT_DIED);
        }
 
-        if (sp->sa_family == (sa_family_t) 0xffff) {
-                __warnx(TIRPC_DEBUG_FLAG_ERROR,
-                        "%s: Bad message sa_family is 0xffff",
-                        __func__);
+       if (sp->sa_family == (sa_family_t) 0xffff) {
+               __warnx(TIRPC_DEBUG_FLAG_ERROR,
+                       "%s: xprt(%p) newxprt(%p) fd %d Bad message sa_family 
is 0xffff",
+                       __func__, xprt, newxprt, newxprt->xp_fd);
                svc_dg_xprt_free(su);
-                return SVC_STAT(xprt);
-        }
+               return SVC_STAT(xprt);
+       }
 
-        if (rlen == -1 || (rlen < (ssize_t) (4 * sizeof(u_int32_t)))) {
-                __warnx(TIRPC_DEBUG_FLAG_ERROR,
-                        "%s: Bad message rlen: %d",
-                        __func__, rlen);
+       if (rlen == -1 || (rlen < (ssize_t) (4 * sizeof(u_int32_t)))) {
+               __warnx(TIRPC_DEBUG_FLAG_ERROR,
+                               "%s: xprt(%p) newxprt(%p) fd %d Bad message 
rlen: %d",
+                               __func__, xprt, newxprt, newxprt->xp_fd, rlen);
                svc_dg_xprt_free(su);
-                return SVC_STAT(xprt);
-        }
+               return SVC_STAT(xprt);
+       }
 
        __rpc_address_setup(&newxprt->xp_local);
        __rpc_address_setup(&newxprt->xp_remote);
@@ -315,13 +315,13 @@ svc_dg_rendezvous(SVCXPRT *xprt)
 #endif
 
        xdrmem_create(su->su_dr.ioq.xdrs, iov.iov_base, iov.iov_len,
-                     XDR_DECODE);
+               XDR_DECODE);
 
        SVC_REF(xprt, SVC_REF_FLAG_NONE);
        newxprt->xp_parent = xprt;
 
        atomic_set_uint16_t_bits(&newxprt->xp_flags,
-           SVC_XPRT_FLAG_READY);
+               SVC_XPRT_FLAG_READY);
 
        return (xprt->xp_dispatch.rendezvous_cb(newxprt));
 }

--- End Message ---

--- Begin Message --- Oops, I see this fix was already backported into libntirpc6.3 (6.3-4 inunstable, 6.3-4~bpo13+1 in trixie-backports). Sorry for the noise.
--- End Message ---

Bug#1126520: marked as done (nfs-ganesha: NULL RPC over UDP causes denial of service)

Reply via email to