From nobody Sun May 24 19:33:17 2026 Received: from mail-qt1-f170.google.com (mail-qt1-f170.google.com [209.85.160.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0F043264619 for ; Sat, 23 May 2026 01:40:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779500442; cv=none; b=V8wdvKWbEhzVKzQHC3q8y9C1tY1iLKBzGilOLMdYBrbdAu787p+X8DR4eCdJGuRDilLEvHqTSxtYccVMw5oV8Uz/BAYKOZHXw1Hkx3wsIfPjHdMcCJCvQABLd0bvNTea/P1SFz2CFl/R2PMhGIyp6ltfVWAbE2yBCNzBpMcHfpA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779500442; c=relaxed/simple; bh=ESbQr55fNsYNb1/DBObk305jbsHQFrKluJIJGXJV+Xk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=QxAF4KeGIgeBNi6dji7Md5HQioKMOh7S2IK1HHwP0zsrBbeomUeuGy8W3PGNt2s0lLGYMqAAV/zK5uwowXXUD2jbeDaci+3WE1evUXOsmc7qLgFsQRGsB6YQehPWloa/27ZUHph1kpea6RpBYzbohrXLNVRBYU2iVz5OWThnwWs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=foIDOb2j; arc=none smtp.client-ip=209.85.160.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="foIDOb2j" Received: by mail-qt1-f170.google.com with SMTP id d75a77b69052e-516d65a15f6so16485191cf.1 for ; Fri, 22 May 2026 18:40:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779500440; x=1780105240; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=e4WE67d3yOm7V6IzrZ9cvMKTT03sFO+GY/Hwtj8Zxsg=; b=foIDOb2jfGLOQ3OOoprusSJVKU3peVCY0QB811LXiW9JAqfug+hATMOoloC+S9xFBI Z33I+sDwxEyTcJYIiewRCsCpuPq+NUI6FM5fXZ99LbmlX8jvKdTdv+1SYlXjLQ9eq0/C oHzLj+V756CX21HnLuGzu/hNoTLCgDwgvhqjqgVaqTwI1wJUApyT62CJboA2MbEY9dgB VHzzGMYhz04Kn6q9F7eDkIgtBGAhxZjj9K10ZHETZi7iZ4/LhUOKLD7fNcYscoC28Q5r GfgvB6vY+Cd2gBsYnw80gEt7EkQvV8TTP74z7RnhngC3AvEYflQ623PIo80r6eHy8Hts GCEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779500440; x=1780105240; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=e4WE67d3yOm7V6IzrZ9cvMKTT03sFO+GY/Hwtj8Zxsg=; b=aAvXq0IXlder26CdQngW+BtNVtfAGAVb20u8/KM+n0D6gvEm4wSgn6soh7qHLBckXA 5gpmZ1/ntV0FAoCfLBpUg4TjRjakWyBnnr3dMqlh79oB+rkMU08UakC8KIrNTv5Eu42D ReGXHnrldR2TxSa/a8VvHIaKcFVwjxlMJqmMQ5nBrLWphrlnCzFbrU/eYiwtepqQY62n XI3wudjWfb2EXnaL7J+wJES2i/UZncQlE4n3PGcO3YcMj8+x8t9YXXF0rYYKiJN4iams 8Bpa+8+jqln7Nt5b9/CG1rjBOTtRELrhP2LGMegeTrfOWiy7/l1YH4vAuamw8SIMCpvo i3ag== X-Forwarded-Encrypted: i=1; AFNElJ+PdlBIT8hf6obkN8Lfl2FQ13zMydC5a5UeFp6lYE0ABu0iAd87GH72jdSjdav6UHDOCfE3BX6WD6jI1vE=@vger.kernel.org X-Gm-Message-State: AOJu0Yxaa5HNefIWjasa8cDi+FOCZgRPaLU3Nl914CjqySGEnX9JVFIP ll00NNQ3c0SBEoDX5GXG5hHpFIqtfyPC7ue3wdudHMAEA01/TrfAw3WiP0I9HUWvYRw= X-Gm-Gg: Acq92OHJhcL/OZQV2zKzdQBP8BkN9nq0OPAIhS+491IzHUb2qhg4BWCz+xFlEI8nxqq +iuvG+q7RQBsYXz/PkSyb3H4aOdaJqdML2aoRNUAK/kjAZCK3Xhd04VkLOPDr0a41FSKXJK5I+7 RG4mJ3mi3Fj4IECxSPehDd4iwKnyHN/yK4U1Fb82htLvX545OEs2NjPvi4IY1+knT7CX/VSW0Od U6agpLag6x4fbAUjyGt5K1Gt91CooGi65kF0nMjdD8hkZKvJJQFnqv0o17W0BaQY2zeIG4PKLwv hHyCfq8WvbuZHmO2QW0uc7skHgntAXI22hebrwNaSSm5K6tZjrhDBwCLe3V1ifFT8Y1x0Da3uou jSDfEunEKAPRSLBQI+Gn5t9eK0NDi4mgnzfx/1KNYEBDoYB5MN7mpPbsn14yhrb2uKN/G2sVVAk kvLlAUg3PgHnjvAho61wZHdDgbXTZXlAMUZE60pdYiWDdGnrzOUsd9eVCU+7tGWJM+NPUsfNrWl HMQhxDl35SE8lohqNYZ X-Received: by 2002:a05:622a:5a8a:b0:50f:340f:ff35 with SMTP id d75a77b69052e-516d58a9118mr67895161cf.26.1779500439995; Fri, 22 May 2026 18:40:39 -0700 (PDT) Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-516d8b247c4sm28559031cf.7.2026.05.22.18.40.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 May 2026 18:40:39 -0700 (PDT) From: Michael Bommarito To: Trond Myklebust , Anna Schumaker Cc: Jeff Layton , Tom Haynes , Peng Tao , Kees Cook , Mike Snitzer , Tigran Mkrtchyan , linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH 1/2] NFSv4/pNFS: reject zero-length r_addr in nfs4_decode_mp_ds_addr Date: Fri, 22 May 2026 21:40:32 -0400 Message-ID: <20260523014033.2459677-2-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260523014033.2459677-1-michael.bommarito@gmail.com> References: <20260523014033.2459677-1-michael.bommarito@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" nfs4_decode_mp_ds_addr() decodes the r_netid and r_addr opaques of a netaddr4 from a GETDEVICEINFO multipath-DS body, then immediately calls strrchr(buf, '.') to locate the port separator. Both decodes use xdr_stream_decode_string_dup(), and the current code checks only "nlen < 0" / "rlen < 0" before dereferencing the returned string. When the on-wire opaque has length zero, xdr_stream_decode_opaque_inline() returns 0 and xdr_stream_decode_string_dup() falls through to its "*str =3D NULL; return ret" tail, leaving buf NULL with a return value of 0. The "< 0" check does not catch this, and the next line is strrchr(NULL, '.'), a kernel NULL pointer dereference reachable from any pNFS-flexfile client mounted against a malicious or compromised metadata server. Reject the zero-length cases explicitly so the decoder fails with -EBADMSG (treated as a malformed GETDEVICEINFO body) instead of panicking the client. Cc: stable@vger.kernel.org Fixes: 6b7f3cf96364 ("nfs41: pull decode_ds_addr from file layout to generi= c pnfs") Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito --- fs/nfs/pnfs_nfs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Reproduced via a malicious NFSv4.1/pNFS server returning a flexfile GETDEVICEINFO body with multipath_count >=3D 3 and one valid (netid, uaddr) pair. Linux 7.0-rc7 + KASAN, QEMU/KVM. Stock kernel: Oops: general protection fault [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:strrchr+0x24/0x80 Call Trace: nfs4_decode_mp_ds_addr+0xca/0x570 nfs4_ff_alloc_deviceid_node+0x357/0x1370 nfs4_find_get_deviceid+0x6b6/0xa90 nfs4_ff_layout_prepare_ds+0x3cf/0xa40 ff_layout_choose_ds_for_read+0x14c/0x350 ff_layout_pg_init_read+0x2a2/0xb90 ... nfs_file_splice_read+0xcf/0x190 do_sendfile+0x8eb/0xdf0 Kernel panic - not syncing: Fatal exception Deterministic for any multipath_count >=3D 3; multipath_count <=3D 2 does not crash because the loop ends before consuming the malformed trailing bytes. Patched kernel rejects the same crafted body and a baseline multipath_count =3D 1 mount + read completes normally. diff --git a/fs/nfs/pnfs_nfs.c b/fs/nfs/pnfs_nfs.c index 12632a706da88..0ff43dbcb7cd7 100644 --- a/fs/nfs/pnfs_nfs.c +++ b/fs/nfs/pnfs_nfs.c @@ -1075,14 +1075,14 @@ nfs4_decode_mp_ds_addr(struct net *net, struct xdr_= stream *xdr, gfp_t gfp_flags) /* r_netid */ nlen =3D xdr_stream_decode_string_dup(xdr, &netid, XDR_MAX_NETOBJ, gfp_flags); - if (unlikely(nlen < 0)) + if (unlikely(nlen <=3D 0)) goto out_err; =20 /* r_addr: ip/ip6addr with port in dec octets - see RFC 5665 */ /* port is ".ABC.DEF", 8 chars max */ rlen =3D xdr_stream_decode_string_dup(xdr, &buf, INET6_ADDRSTRLEN + IPV6_SCOPE_ID_LEN + 8, gfp_flags); - if (unlikely(rlen < 0)) + if (unlikely(rlen <=3D 0)) goto out_free_netid; =20 /* replace port '.' with '-' */ --=20 2.53.0 From nobody Sun May 24 19:33:17 2026 Received: from mail-qt1-f176.google.com (mail-qt1-f176.google.com [209.85.160.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4B1D0275AFB for ; Sat, 23 May 2026 01:40:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779500443; cv=none; b=UHZo6YWU6qhJJlUt60LAw1bid7QuaiDldze9GXNT+qINgwQDJt4nnZiC1NGL0WBdEXc3GWnPgsHDohIwZxn5sLkHIav/7wv+Tnc8JxStEfA3CuU5qXFnp4xE3eUV/L/npQJcBxu6+52/KfCwYaUiWU2OypMUcJ3ohxqyH9+AqKA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779500443; c=relaxed/simple; bh=hnduPY82/gGMnSQk7PIZuYmtQRqZ9KgbG5y9Zo+wlAw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=fJH5Fa79T0YaT42/uN7UIwxIYmhakW34uPZYOSwWlVuJlcQzSqsa1nFrHegGkoHNpy1eJugiQ/WXQaYLNQceFX0UAV2dKCL75koP5VlmFx/j5slWLWFVFfGAmfpi6W89gZZH6ad7ENPwQYHL87hEu+grHADcNl4BuKPNGHTvX0s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=DCqx65r6; arc=none smtp.client-ip=209.85.160.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="DCqx65r6" Received: by mail-qt1-f176.google.com with SMTP id d75a77b69052e-50fb8e9a4edso93985051cf.1 for ; Fri, 22 May 2026 18:40:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779500441; x=1780105241; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/6cmfWT4Yx0qceSMPkSgJjcCJUqUmrReUf7axDysEWM=; b=DCqx65r6vGsgdHDLDLDCz99TB0Y0m4QQfonN4pMO1+OVVQY8CZY4Vd2Ts86lyNJ7yo 8RDm4FI2vnFEWM1mKf0cZMV8PNNtwxwRa647pOQ7uISsEEEsokDcjXlsxFpGvY+KVmqJ Q0BpC/0YVM5hzkCOEzBdPaH0neGnYW2QeaekwDrSqOWxLXzXhp6tWFbyaFTvMzxlUK1F zuY8DUSj4PWtTs9H2xKSYsjCKfuOo/bkkeN9C+Z/DHlTrdJ4h14fMGJMH151/ck/oamZ rHSsMzgskxJrRgoav0vNmIcv5tq64Q/fcx9qN8wHqUQsptTEbdwvtJckT4Lseqhhgv1U 6N8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779500441; x=1780105241; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=/6cmfWT4Yx0qceSMPkSgJjcCJUqUmrReUf7axDysEWM=; b=R5RCjckySIBF/nrN8yc3XiazeFumzOuJTrrTpa1wNNFmxVG0ZVAAYXpA0alqjWls5s cKGZqq5ugVhlriHMjjIbqvoF1OMMuFvClA2v7/xvRDUlirSNamnR5/lEIFBOXbAXnvcc Cl3FkHSjBtLe3fi68PQgBju+e9wU3m6/oeV7XUpD35mcw/6Rd8uzodH0VK+wGFO7VtfG 1d191CnWcSW0X0R77FGJYzOM63V5EGVfUIRxQaYlya4OidCQa16CxHeTYtRcc/aWy2i4 kTZuLQyZZJqvB0Bw5DzG7fwgMTcpoiYYsdp5FDdqUsgZwWYKPJ8eAFDF0q0BBeBcrBlu e8SQ== X-Forwarded-Encrypted: i=1; AFNElJ94Dn+G24q8E/nQJqz82YDis+YUK+QzWUiYVLHwLojnuUTevj2yJpyfu9nKNtiX+cw1Cb/ZHV34BPoQQJ4=@vger.kernel.org X-Gm-Message-State: AOJu0Yy1IGBvAwuKLUFnmu8iAfYJq1K4mfGWMvYZTzOywEXeOYnFUZPQ 1NJfeGl6wHimsYR5cShBW4ERqrMHVQikIc1lUzHP9cuh1MABxnSeQncB X-Gm-Gg: Acq92OEIT/5O1qEjzKj0UjdW7YHPywfyYXCuRGsKNqkbx5Q3iu2tLNLKcTZR4XIgAZl fhfCedrYeLCTVAsE0WtS5hecB99uEylra4q7TmY4+F6fgGTdNmCK7J4pQ1ihYX4jpLB9M4CZbZX Cbc1p5YBgM+XugD/x1r9dAWJdmV7Lp64oFBzJUWPjpw2cKwW/pOYwwqshrZ2yzVOCy6ri2iEAjQ pe4tAjIrxOrSGCR5ey1PbGxnpVQH4aDoNJIADufgkrR65uFDDpusvoaK0RzuH1+1sxE9zHtNKtd jVAas1FMOFzIhbLzRs0nj1FFReQlgwxHIuOuGqaQxjmm3JFw2Wz2jgQmvK2rNGdvCx3BuP83a9Z 33WiDYCRskN8XoQ/eOASKU955b47Mm2MHmqMIfc4HancJZOaTS9cr+ebQ8bwtp6UzaxhamT/U3p 1Dqyon2U4qRsPwjcZa8JpxsuoHzKT6jZcGryH9jXPvhOvHn94cFHENmdTpanhpfNNI/OaDaz/6R NwwBL/Rd81c++2bj7RVOqJXCwgjAoU= X-Received: by 2002:a05:622a:94:b0:50f:be4f:465b with SMTP id d75a77b69052e-516d46455b3mr84987961cf.33.1779500441203; Fri, 22 May 2026 18:40:41 -0700 (PDT) Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-516d8b247c4sm28559031cf.7.2026.05.22.18.40.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 May 2026 18:40:40 -0700 (PDT) From: Michael Bommarito To: Trond Myklebust , Anna Schumaker Cc: Jeff Layton , Tom Haynes , Peng Tao , Kees Cook , Mike Snitzer , Tigran Mkrtchyan , linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH 2/2] NFSv4/flexfile,filelayout: bound multipath DS count in GETDEVICEINFO Date: Fri, 22 May 2026 21:40:33 -0400 Message-ID: <20260523014033.2459677-3-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260523014033.2459677-1-michael.bommarito@gmail.com> References: <20260523014033.2459677-1-michael.bommarito@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Both the flexfile and the (legacy) file pNFS layout drivers decode a multipath-DS count from a server-supplied GETDEVICEINFO body and then iterate it via nfs4_decode_mp_ds_addr() without any upper bound. The filelayout driver already caps the outer ds_num against NFS4_PNFS_MAX_MULTI_CNT (=3D=3D 256) but applies no equivalent cap to the inner mp_count; the flexfile driver applies no cap on either. In addition, both inner loops ignore a NULL return from nfs4_decode_mp_ds_addr(), so once the on-wire data no longer matches a valid netaddr4 encoding the loop is free to consume the trailing bytes of the device_addr opaque as garbage netid + uaddr pairs. A malicious or compromised pNFS metadata server can therefore drive the inner loop indefinitely (up to 2^32 - 1 iterations) against a fixed-size 56-byte body, with each iteration triggering an allocation / kmemdup_nul cycle inside the decoder. Promote NFS4_PNFS_MAX_MULTI_CNT from the filelayout private header to include/linux/nfs4.h so both drivers (and any future pNFS layout driver that decodes a multipath address list) bound the wire-level field consistently. Apply the cap to the inner mp_count in both drivers, matching the existing ds_num check, and bail on the first NULL return so a server that lies about mp_count cannot quietly extend the loop into the trailing layout-body bytes. This is defense-in-depth on top of the companion patch which closes the NULL-deref in nfs4_decode_mp_ds_addr(); either patch alone closes the kernel-panic shape, both together close the latent unbounded-decode class. Cc: stable@vger.kernel.org Fixes: 35124a0994fc ("Cleanup XDR parsing for LAYOUTGET, GETDEVICEINFO") Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver") Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito --- fs/nfs/filelayout/filelayout.h | 2 +- fs/nfs/filelayout/filelayoutdev.c | 7 +++++-- fs/nfs/flexfilelayout/flexfilelayoutdev.c | 10 ++++++++-- include/linux/nfs4.h | 3 +++ 4 files changed, 17 insertions(+), 5 deletions(-) With this patch alone the crafted GETDEVICEINFO at multipath_count >=3D 3 is rejected at the bound check; malformed netaddr in the inner loop bails on the first NULL return. Either this patch or the companion 1/2 closes the panic; both together close the unbounded-decode class. Baseline multipath_count =3D 1 mount + read completes normally. diff --git a/fs/nfs/filelayout/filelayout.h b/fs/nfs/filelayout/filelayout.h index c7bb5da93307d..03298f2e7cd69 100644 --- a/fs/nfs/filelayout/filelayout.h +++ b/fs/nfs/filelayout/filelayout.h @@ -39,7 +39,7 @@ * RFC 5661 multipath_list4 structures. */ #define NFS4_PNFS_MAX_STRIPE_CNT 4096 -#define NFS4_PNFS_MAX_MULTI_CNT 256 /* 256 fit into a u8 stripe_index */ +/* NFS4_PNFS_MAX_MULTI_CNT now in ; shared with flexfile. */ =20 enum stripetype4 { STRIPE_SPARSE =3D 1, diff --git a/fs/nfs/filelayout/filelayoutdev.c b/fs/nfs/filelayout/filelayo= utdev.c index 7226989ee4d53..c58c786dcf011 100644 --- a/fs/nfs/filelayout/filelayoutdev.c +++ b/fs/nfs/filelayout/filelayoutdev.c @@ -159,10 +159,13 @@ nfs4_fl_alloc_deviceid_node(struct nfs_server *server= , struct pnfs_device *pdev, goto out_err_free_deviceid; =20 mp_count =3D be32_to_cpup(p); /* multipath count */ + if (mp_count > NFS4_PNFS_MAX_MULTI_CNT) + goto out_err_free_deviceid; for (j =3D 0; j < mp_count; j++) { da =3D nfs4_decode_mp_ds_addr(net, &stream, gfp_flags); - if (da) - list_add_tail(&da->da_node, &dsaddrs); + if (!da) + break; + list_add_tail(&da->da_node, &dsaddrs); } if (list_empty(&dsaddrs)) { dprintk("%s: no suitable DS addresses found\n", diff --git a/fs/nfs/flexfilelayout/flexfilelayoutdev.c b/fs/nfs/flexfilelay= out/flexfilelayoutdev.c index c40395ae08142..faed05cbe9f1c 100644 --- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c +++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c @@ -78,12 +78,18 @@ nfs4_ff_alloc_deviceid_node(struct nfs_server *server, = struct pnfs_device *pdev, goto out_err_drain_dsaddrs; mp_count =3D be32_to_cpup(p); dprintk("%s: multipath ds count %d\n", __func__, mp_count); + if (mp_count > NFS4_PNFS_MAX_MULTI_CNT) { + dprintk("%s: multipath count %u greater than supported maximum %d\n", + __func__, mp_count, NFS4_PNFS_MAX_MULTI_CNT); + goto out_err_drain_dsaddrs; + } =20 for (i =3D 0; i < mp_count; i++) { /* multipath ds */ da =3D nfs4_decode_mp_ds_addr(net, &stream, gfp_flags); - if (da) - list_add_tail(&da->da_node, &dsaddrs); + if (!da) + break; + list_add_tail(&da->da_node, &dsaddrs); } if (list_empty(&dsaddrs)) { dprintk("%s: no suitable DS addresses found\n", diff --git a/include/linux/nfs4.h b/include/linux/nfs4.h index d87be1f25273a..bfc30baa8159a 100644 --- a/include/linux/nfs4.h +++ b/include/linux/nfs4.h @@ -767,6 +767,9 @@ enum pnfs_block_extent_state { PNFS_BLOCK_NONE_DATA =3D 3, }; =20 +/* Maximum NFSv4.1 pNFS multipath data-server address count */ +#define NFS4_PNFS_MAX_MULTI_CNT 256 + /* on the wire size of a block layout extent */ #define PNFS_BLOCK_EXTENT_SIZE \ (7 * sizeof(__be32) + NFS4_DEVICEID4_SIZE) --=20 2.53.0