fs/nfsd/nfs4recover.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
In __cld_pipe_inprogress_downcall(), the get_user() that reads
princhashlen from the userspace cld_msg_v2 buffer does not check its
return value. A failing copy leaves princhashlen with uninitialised
stack contents, which are then used to drive memdup_user() and stored
as princhash.len on the resulting reclaim record. The other get_user()
calls in this function all check the return; only this one is missed,
which is most likely a copy-paste oversight from when v2 upcalls were
introduced.
Mirror the existing pattern used a few lines above for namelen.
namecopy is declared with __free(kfree) so the early return cleans up
the already-allocated buffer automatically.
Fixes: 6ee95d1c8991 ("nfsd: add support for upcall version 2")
Signed-off-by: Dominik Woźniak <stalion@gmail.com>
---
fs/nfsd/nfs4recover.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
index b338473d6e52..6ea25a52d2f4 100644
--- a/fs/nfsd/nfs4recover.c
+++ b/fs/nfsd/nfs4recover.c
@@ -718,7 +718,8 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
return PTR_ERR(namecopy);
name.data = namecopy;
name.len = namelen;
- get_user(princhashlen, &ci->cc_princhash.cp_len);
+ if (get_user(princhashlen, &ci->cc_princhash.cp_len))
+ return -EFAULT;
if (princhashlen > 0) {
princhashcopy = memdup_user(
&ci->cc_princhash.cp_data,
--
2.50.1 (Apple Git-155)
From: Chuck Lever <chuck.lever@oracle.com>
On Thu, 21 May 2026 17:46:56 +0200, Dominik Woźniak wrote:
> In __cld_pipe_inprogress_downcall(), the get_user() that reads
> princhashlen from the userspace cld_msg_v2 buffer does not check its
> return value. A failing copy leaves princhashlen with uninitialised
> stack contents, which are then used to drive memdup_user() and stored
> as princhash.len on the resulting reclaim record. The other get_user()
> calls in this function all check the return; only this one is missed,
> which is most likely a copy-paste oversight from when v2 upcalls were
> introduced.
>
> [...]
Applied to nfsd-testing, thanks!
[1/1] nfsd: check get_user() return when reading princhashlen
commit: aff199f9ef2d1870edbc27253798bd97ee9c65be
--
Chuck Lever <chuck.lever@oracle.com>
On Thu, 2026-05-21 at 17:46 +0200, Dominik Woźniak wrote:
> In __cld_pipe_inprogress_downcall(), the get_user() that reads
> princhashlen from the userspace cld_msg_v2 buffer does not check its
> return value. A failing copy leaves princhashlen with uninitialised
> stack contents, which are then used to drive memdup_user() and stored
> as princhash.len on the resulting reclaim record. The other get_user()
> calls in this function all check the return; only this one is missed,
> which is most likely a copy-paste oversight from when v2 upcalls were
> introduced.
>
> Mirror the existing pattern used a few lines above for namelen.
> namecopy is declared with __free(kfree) so the early return cleans up
> the already-allocated buffer automatically.
>
> Fixes: 6ee95d1c8991 ("nfsd: add support for upcall version 2")
> Signed-off-by: Dominik Woźniak <stalion@gmail.com>
> ---
> fs/nfsd/nfs4recover.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
> index b338473d6e52..6ea25a52d2f4 100644
> --- a/fs/nfsd/nfs4recover.c
> +++ b/fs/nfsd/nfs4recover.c
> @@ -718,7 +718,8 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
> return PTR_ERR(namecopy);
> name.data = namecopy;
> name.len = namelen;
> - get_user(princhashlen, &ci->cc_princhash.cp_len);
> + if (get_user(princhashlen, &ci->cc_princhash.cp_len))
> + return -EFAULT;
> if (princhashlen > 0) {
> princhashcopy = memdup_user(
> &ci->cc_princhash.cp_data,
Nice catch.
Reviewed-by: Jeff Layton <jlayton@kernel.org>
© 2016 - 2026 Red Hat, Inc.