fs/nfsd/export.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-)
Given the right export table, it's possible to trigger a NULL pointer
dereference when mountd sends a path that has no export operations.
Check that the export_ops are set and just return -EINVAL if not.
Signed-off-by: Jeff Layton <jlayton@kernel.org>
---
Triggering this required a rather pathological export table (I just
exported "/"). Given that, I'm on the fence as to whether we want to
send this to stable.
---
fs/nfsd/export.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
index 2a1499f2ad196a6033787260881e451146283bdc..4187c109d84985d33a69e19291edbf2b27b257d8 100644
--- a/fs/nfsd/export.c
+++ b/fs/nfsd/export.c
@@ -405,6 +405,7 @@ static struct svc_export *svc_export_lookup(struct svc_export *);
static int check_export(const struct path *path, int *flags, unsigned char *uuid)
{
struct inode *inode = d_inode(path->dentry);
+ struct export_operations *export_op = inode->i_sb->s_export_op;
/*
* We currently export only dirs, regular files, and (for v4
@@ -422,14 +423,20 @@ static int check_export(const struct path *path, int *flags, unsigned char *uuid
if (*flags & NFSEXP_V4ROOT)
*flags |= NFSEXP_READONLY;
- /* There are two requirements on a filesystem to be exportable.
- * 1: We must be able to identify the filesystem from a number.
+ /* There are four requirements on a filesystem to be exportable:
+ * 1: It must define sb->s_export_op
+ * 2: We must be able to identify the filesystem from a number.
* either a device number (so FS_REQUIRES_DEV needed)
* or an FSID number (so NFSEXP_FSID or ->uuid is needed).
- * 2: We must be able to find an inode from a filehandle.
+ * 3: We must be able to find an inode from a filehandle.
* This means that s_export_op must be set.
- * 3: We must not currently be on an idmapped mount.
+ * 4: We must not currently be on an idmapped mount.
*/
+ if (!export_op) {
+ dprintk("%s: fs doesn't define export_operations!\n", __func__);
+ return -EINVAL;
+ }
+
if (!(inode->i_sb->s_type->fs_flags & FS_REQUIRES_DEV) &&
!(*flags & NFSEXP_FSID) &&
uuid == NULL) {
@@ -437,7 +444,7 @@ static int check_export(const struct path *path, int *flags, unsigned char *uuid
return -EINVAL;
}
- if (!exportfs_can_decode_fh(inode->i_sb->s_export_op)) {
+ if (!exportfs_can_decode_fh(export_op)) {
dprintk("exp_export: export of invalid fs type.\n");
return -EINVAL;
}
@@ -447,7 +454,7 @@ static int check_export(const struct path *path, int *flags, unsigned char *uuid
return -EINVAL;
}
- if (inode->i_sb->s_export_op->flags & EXPORT_OP_NOSUBTREECHK &&
+ if (export_op->flags & EXPORT_OP_NOSUBTREECHK &&
!(*flags & NFSEXP_NOSUBTREECHECK)) {
dprintk("%s: %s does not support subtree checking!\n",
__func__, inode->i_sb->s_type->name);
---
base-commit: 983d014aafb14ee5e4915465bf8948e8f3a723b5
change-id: 20260116-nfsd-fixes-8c02927271e6
Best regards,
--
Jeff Layton <jlayton@kernel.org>Hi Jeff,
kernel test robot noticed the following build errors:
[auto build test ERROR on 983d014aafb14ee5e4915465bf8948e8f3a723b5]
url: https://github.com/intel-lab-lkp/linux/commits/Jeff-Layton/nfsd-fix-NULL-pointer-dereference-in-check_export/20260117-022519
base: 983d014aafb14ee5e4915465bf8948e8f3a723b5
patch link: https://lore.kernel.org/r/20260116-nfsd-fixes-v1-1-019689b72747%40kernel.org
patch subject: [PATCH] nfsd: fix NULL pointer dereference in check_export()
config: arm64-randconfig-002-20260117 (https://download.01.org/0day-ci/archive/20260117/202601171105.1nmOHcdX-lkp@intel.com/config)
compiler: clang version 22.0.0git (https://github.com/llvm/llvm-project 9b8addffa70cee5b2acc5454712d9cf78ce45710)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260117/202601171105.1nmOHcdX-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202601171105.1nmOHcdX-lkp@intel.com/
All errors (new ones prefixed by >>):
>> fs/nfsd/export.c:408:28: error: initializing 'struct export_operations *' with an expression of type 'const struct export_operations *' discards qualifiers [-Werror,-Wincompatible-pointer-types-discards-qualifiers]
408 | struct export_operations *export_op = inode->i_sb->s_export_op;
| ^ ~~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
vim +408 fs/nfsd/export.c
404
405 static int check_export(const struct path *path, int *flags, unsigned char *uuid)
406 {
407 struct inode *inode = d_inode(path->dentry);
> 408 struct export_operations *export_op = inode->i_sb->s_export_op;
409
410 /*
411 * We currently export only dirs, regular files, and (for v4
412 * pseudoroot) symlinks.
413 */
414 if (!S_ISDIR(inode->i_mode) &&
415 !S_ISLNK(inode->i_mode) &&
416 !S_ISREG(inode->i_mode))
417 return -ENOTDIR;
418
419 /*
420 * Mountd should never pass down a writeable V4ROOT export, but,
421 * just to make sure:
422 */
423 if (*flags & NFSEXP_V4ROOT)
424 *flags |= NFSEXP_READONLY;
425
426 /* There are four requirements on a filesystem to be exportable:
427 * 1: It must define sb->s_export_op
428 * 2: We must be able to identify the filesystem from a number.
429 * either a device number (so FS_REQUIRES_DEV needed)
430 * or an FSID number (so NFSEXP_FSID or ->uuid is needed).
431 * 3: We must be able to find an inode from a filehandle.
432 * This means that s_export_op must be set.
433 * 4: We must not currently be on an idmapped mount.
434 */
435 if (!export_op) {
436 dprintk("%s: fs doesn't define export_operations!\n", __func__);
437 return -EINVAL;
438 }
439
440 if (!(inode->i_sb->s_type->fs_flags & FS_REQUIRES_DEV) &&
441 !(*flags & NFSEXP_FSID) &&
442 uuid == NULL) {
443 dprintk("exp_export: export of non-dev fs without fsid\n");
444 return -EINVAL;
445 }
446
447 if (!exportfs_can_decode_fh(export_op)) {
448 dprintk("exp_export: export of invalid fs type.\n");
449 return -EINVAL;
450 }
451
452 if (is_idmapped_mnt(path->mnt)) {
453 dprintk("exp_export: export of idmapped mounts not yet supported.\n");
454 return -EINVAL;
455 }
456
457 if (export_op->flags & EXPORT_OP_NOSUBTREECHK &&
458 !(*flags & NFSEXP_NOSUBTREECHECK)) {
459 dprintk("%s: %s does not support subtree checking!\n",
460 __func__, inode->i_sb->s_type->name);
461 return -EINVAL;
462 }
463 return 0;
464 }
465
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Hi Jeff,
kernel test robot noticed the following build warnings:
[auto build test WARNING on 983d014aafb14ee5e4915465bf8948e8f3a723b5]
url: https://github.com/intel-lab-lkp/linux/commits/Jeff-Layton/nfsd-fix-NULL-pointer-dereference-in-check_export/20260117-022519
base: 983d014aafb14ee5e4915465bf8948e8f3a723b5
patch link: https://lore.kernel.org/r/20260116-nfsd-fixes-v1-1-019689b72747%40kernel.org
patch subject: [PATCH] nfsd: fix NULL pointer dereference in check_export()
config: parisc-defconfig (https://download.01.org/0day-ci/archive/20260117/202601171021.4DQZyXiU-lkp@intel.com/config)
compiler: hppa-linux-gcc (GCC) 15.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260117/202601171021.4DQZyXiU-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202601171021.4DQZyXiU-lkp@intel.com/
All warnings (new ones prefixed by >>):
fs/nfsd/export.c: In function 'check_export':
>> fs/nfsd/export.c:408:47: warning: initialization discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
408 | struct export_operations *export_op = inode->i_sb->s_export_op;
| ^~~~~
vim +/const +408 fs/nfsd/export.c
404
405 static int check_export(const struct path *path, int *flags, unsigned char *uuid)
406 {
407 struct inode *inode = d_inode(path->dentry);
> 408 struct export_operations *export_op = inode->i_sb->s_export_op;
409
410 /*
411 * We currently export only dirs, regular files, and (for v4
412 * pseudoroot) symlinks.
413 */
414 if (!S_ISDIR(inode->i_mode) &&
415 !S_ISLNK(inode->i_mode) &&
416 !S_ISREG(inode->i_mode))
417 return -ENOTDIR;
418
419 /*
420 * Mountd should never pass down a writeable V4ROOT export, but,
421 * just to make sure:
422 */
423 if (*flags & NFSEXP_V4ROOT)
424 *flags |= NFSEXP_READONLY;
425
426 /* There are four requirements on a filesystem to be exportable:
427 * 1: It must define sb->s_export_op
428 * 2: We must be able to identify the filesystem from a number.
429 * either a device number (so FS_REQUIRES_DEV needed)
430 * or an FSID number (so NFSEXP_FSID or ->uuid is needed).
431 * 3: We must be able to find an inode from a filehandle.
432 * This means that s_export_op must be set.
433 * 4: We must not currently be on an idmapped mount.
434 */
435 if (!export_op) {
436 dprintk("%s: fs doesn't define export_operations!\n", __func__);
437 return -EINVAL;
438 }
439
440 if (!(inode->i_sb->s_type->fs_flags & FS_REQUIRES_DEV) &&
441 !(*flags & NFSEXP_FSID) &&
442 uuid == NULL) {
443 dprintk("exp_export: export of non-dev fs without fsid\n");
444 return -EINVAL;
445 }
446
447 if (!exportfs_can_decode_fh(export_op)) {
448 dprintk("exp_export: export of invalid fs type.\n");
449 return -EINVAL;
450 }
451
452 if (is_idmapped_mnt(path->mnt)) {
453 dprintk("exp_export: export of idmapped mounts not yet supported.\n");
454 return -EINVAL;
455 }
456
457 if (export_op->flags & EXPORT_OP_NOSUBTREECHK &&
458 !(*flags & NFSEXP_NOSUBTREECHECK)) {
459 dprintk("%s: %s does not support subtree checking!\n",
460 __func__, inode->i_sb->s_type->name);
461 return -EINVAL;
462 }
463 return 0;
464 }
465
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
On Fri, 2026-01-16 at 13:22 -0500, Jeff Layton wrote:
> Given the right export table, it's possible to trigger a NULL pointer
> dereference when mountd sends a path that has no export operations.
> Check that the export_ops are set and just return -EINVAL if not.
>
> Signed-off-by: Jeff Layton <jlayton@kernel.org>
> ---
> Triggering this required a rather pathological export table (I just
> exported "/"). Given that, I'm on the fence as to whether we want to
> send this to stable.
> ---
> fs/nfsd/export.c | 19 +++++++++++++------
> 1 file changed, 13 insertions(+), 6 deletions(-)
>
> diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
> index 2a1499f2ad196a6033787260881e451146283bdc..4187c109d84985d33a69e19291edbf2b27b257d8 100644
> --- a/fs/nfsd/export.c
> +++ b/fs/nfsd/export.c
> @@ -405,6 +405,7 @@ static struct svc_export *svc_export_lookup(struct svc_export *);
> static int check_export(const struct path *path, int *flags, unsigned char *uuid)
> {
> struct inode *inode = d_inode(path->dentry);
> + struct export_operations *export_op = inode->i_sb->s_export_op;
>
> /*
> * We currently export only dirs, regular files, and (for v4
> @@ -422,14 +423,20 @@ static int check_export(const struct path *path, int *flags, unsigned char *uuid
> if (*flags & NFSEXP_V4ROOT)
> *flags |= NFSEXP_READONLY;
>
> - /* There are two requirements on a filesystem to be exportable.
> - * 1: We must be able to identify the filesystem from a number.
> + /* There are four requirements on a filesystem to be exportable:
> + * 1: It must define sb->s_export_op
> + * 2: We must be able to identify the filesystem from a number.
> * either a device number (so FS_REQUIRES_DEV needed)
> * or an FSID number (so NFSEXP_FSID or ->uuid is needed).
> - * 2: We must be able to find an inode from a filehandle.
> + * 3: We must be able to find an inode from a filehandle.
> * This means that s_export_op must be set.
> - * 3: We must not currently be on an idmapped mount.
> + * 4: We must not currently be on an idmapped mount.
> */
> + if (!export_op) {
> + dprintk("%s: fs doesn't define export_operations!\n", __func__);
> + return -EINVAL;
> + }
> +
> if (!(inode->i_sb->s_type->fs_flags & FS_REQUIRES_DEV) &&
> !(*flags & NFSEXP_FSID) &&
> uuid == NULL) {
> @@ -437,7 +444,7 @@ static int check_export(const struct path *path, int *flags, unsigned char *uuid
> return -EINVAL;
> }
>
> - if (!exportfs_can_decode_fh(inode->i_sb->s_export_op)) {
> + if (!exportfs_can_decode_fh(export_op)) {
Hrm, actually exportfs_can_decode_fh() already checks this. You can
disregard this patch.
--
Jeff Layton <jlayton@kernel.org>
© 2016 - 2026 Red Hat, Inc.