1. Patchew
  2. linux
  3. View series

[PATCH] nfsd: fix XDR padding calculation in ff_encode_getdeviceinfo

Jeff Layton posted 1 patch 1 week, 4 days ago 
fs/nfsd/flexfilelayoutxdr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
[PATCH] nfsd: fix XDR padding calculation in ff_encode_getdeviceinfo
Posted by Jeff Layton 1 week, 4 days ago 
nfsd4_ff_encode_getdeviceinfo() computes the da_addr_body reservation
as 16 + netid_len + addr_len, but the subsequent xdr_encode_opaque()
calls emit 8 + round_up(netid_len, 4) + round_up(addr_len, 4) bytes.
The mismatch means the declared da_addr_body length exceeds the actual
encoded data by 2-8 bytes on every flexfile GETDEVICEINFO reply,
leaking stale reply-page content to the client and mis-aligning the
subsequent version list decode.

Use xdr_align_size() for each string length to match what
xdr_encode_opaque() actually writes.

Fixes: efcae97fa425 ("NFSD: da_addr_body field missing in some GETDEVICEINFO replies")
Assisted-by: kres:claude-opus-4-6
Signed-off-by: Jeff Layton <jlayton@kernel.org>
---
 fs/nfsd/flexfilelayoutxdr.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/nfsd/flexfilelayoutxdr.c b/fs/nfsd/flexfilelayoutxdr.c
index f9f7e38cba13..7f357dbd1bb1 100644
--- a/fs/nfsd/flexfilelayoutxdr.c
+++ b/fs/nfsd/flexfilelayoutxdr.c
@@ -94,7 +94,8 @@ nfsd4_ff_encode_getdeviceinfo(struct xdr_stream *xdr,
 	}
 
 	/* len + padding for two strings */
-	addr_len = 16 + da->netaddr.netid_len + da->netaddr.addr_len;
+	addr_len = 8 + xdr_align_size(da->netaddr.netid_len) +
+		   xdr_align_size(da->netaddr.addr_len);
 	ver_len = 20;
 
 	len = 4 + ver_len + 4 + addr_len;

---
base-commit: b69fc3eaa867d0caa904634ea7a1b4569411b163
change-id: 20260527-pnfs-fixes-23451bb03d57

Best regards,
-- 
Jeff Layton <jlayton@kernel.org>
Re: [PATCH] nfsd: fix XDR padding calculation in ff_encode_getdeviceinfo
Posted by Chuck Lever 1 week, 4 days ago 
From: Chuck Lever <chuck.lever@oracle.com>

On Wed, 27 May 2026 14:30:41 -0400, Jeff Layton wrote:
> nfsd4_ff_encode_getdeviceinfo() computes the da_addr_body reservation
> as 16 + netid_len + addr_len, but the subsequent xdr_encode_opaque()
> calls emit 8 + round_up(netid_len, 4) + round_up(addr_len, 4) bytes.
> The mismatch means the declared da_addr_body length exceeds the actual
> encoded data by 2-8 bytes on every flexfile GETDEVICEINFO reply,
> leaking stale reply-page content to the client and mis-aligning the
> subsequent version list decode.
> 
> [...]

Applied to nfsd-testing, thanks!

[1/1] nfsd: fix XDR padding calculation in ff_encode_getdeviceinfo
      commit: d53136757d4192934ad67d4c5c58eb9bc99daf4b

--
Chuck Lever <chuck.lever@oracle.com>
Re: [PATCH] nfsd: fix XDR padding calculation in ff_encode_getdeviceinfo
Posted by Chuck Lever 1 week, 4 days ago 

On Wed, May 27, 2026, at 2:30 PM, Jeff Layton wrote:
> nfsd4_ff_encode_getdeviceinfo() computes the da_addr_body reservation
> as 16 + netid_len + addr_len, but the subsequent xdr_encode_opaque()
> calls emit 8 + round_up(netid_len, 4) + round_up(addr_len, 4) bytes.
> The mismatch means the declared da_addr_body length exceeds the actual
> encoded data by 2-8 bytes on every flexfile GETDEVICEINFO reply,
> leaking stale reply-page content to the client and mis-aligning the
> subsequent version list decode.
>
> Use xdr_align_size() for each string length to match what
> xdr_encode_opaque() actually writes.
>
> Fixes: efcae97fa425 ("NFSD: da_addr_body field missing in some 
> GETDEVICEINFO replies")
> Assisted-by: kres:claude-opus-4-6
> Signed-off-by: Jeff Layton <jlayton@kernel.org>
> ---
>  fs/nfsd/flexfilelayoutxdr.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/nfsd/flexfilelayoutxdr.c b/fs/nfsd/flexfilelayoutxdr.c
> index f9f7e38cba13..7f357dbd1bb1 100644
> --- a/fs/nfsd/flexfilelayoutxdr.c
> +++ b/fs/nfsd/flexfilelayoutxdr.c
> @@ -94,7 +94,8 @@ nfsd4_ff_encode_getdeviceinfo(struct xdr_stream *xdr,
>  	}
> 
>  	/* len + padding for two strings */
> -	addr_len = 16 + da->netaddr.netid_len + da->netaddr.addr_len;
> +	addr_len = 8 + xdr_align_size(da->netaddr.netid_len) +
> +		   xdr_align_size(da->netaddr.addr_len);
>  	ver_len = 20;
> 
>  	len = 4 + ver_len + 4 + addr_len;
>
> ---
> base-commit: b69fc3eaa867d0caa904634ea7a1b4569411b163
> change-id: 20260527-pnfs-fixes-23451bb03d57
>
> Best regards,
> -- 
> Jeff Layton <jlayton@kernel.org>

Fixes tag might/should be 9b9960a0ca47 ? LLM reviews vary on this.

nfsd4_ff_encode_layoutget at fs/nfsd/flexfilelayoutxdr.c:40-41 has the
same unaligned pattern for UID/GID strings: 8 + uid.len + 8 + gid.len.
Do you intend to address that calculation as well?

My preference here is to convert to xdrgen instead, but that's a much
bigger and less back-portable change.


-- 
Chuck Lever
Re: [PATCH] nfsd: fix XDR padding calculation in ff_encode_getdeviceinfo
Posted by Jeff Layton 1 week, 4 days ago 
On Wed, 2026-05-27 at 15:25 -0400, Chuck Lever wrote:
> 
> On Wed, May 27, 2026, at 2:30 PM, Jeff Layton wrote:
> > nfsd4_ff_encode_getdeviceinfo() computes the da_addr_body reservation
> > as 16 + netid_len + addr_len, but the subsequent xdr_encode_opaque()
> > calls emit 8 + round_up(netid_len, 4) + round_up(addr_len, 4) bytes.
> > The mismatch means the declared da_addr_body length exceeds the actual
> > encoded data by 2-8 bytes on every flexfile GETDEVICEINFO reply,
> > leaking stale reply-page content to the client and mis-aligning the
> > subsequent version list decode.
> > 
> > Use xdr_align_size() for each string length to match what
> > xdr_encode_opaque() actually writes.
> > 
> > Fixes: efcae97fa425 ("NFSD: da_addr_body field missing in some 
> > GETDEVICEINFO replies")
> > Assisted-by: kres:claude-opus-4-6
> > Signed-off-by: Jeff Layton <jlayton@kernel.org>
> > ---
> >  fs/nfsd/flexfilelayoutxdr.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/fs/nfsd/flexfilelayoutxdr.c b/fs/nfsd/flexfilelayoutxdr.c
> > index f9f7e38cba13..7f357dbd1bb1 100644
> > --- a/fs/nfsd/flexfilelayoutxdr.c
> > +++ b/fs/nfsd/flexfilelayoutxdr.c
> > @@ -94,7 +94,8 @@ nfsd4_ff_encode_getdeviceinfo(struct xdr_stream *xdr,
> >  	}
> > 
> >  	/* len + padding for two strings */
> > -	addr_len = 16 + da->netaddr.netid_len + da->netaddr.addr_len;
> > +	addr_len = 8 + xdr_align_size(da->netaddr.netid_len) +
> > +		   xdr_align_size(da->netaddr.addr_len);
> >  	ver_len = 20;
> > 
> >  	len = 4 + ver_len + 4 + addr_len;
> > 
> > ---
> > base-commit: b69fc3eaa867d0caa904634ea7a1b4569411b163
> > change-id: 20260527-pnfs-fixes-23451bb03d57
> > 
> > Best regards,
> > -- 
> > Jeff Layton <jlayton@kernel.org>
> 
> Fixes tag might/should be 9b9960a0ca47 ? LLM reviews vary on this.
> 
> nfsd4_ff_encode_layoutget at fs/nfsd/flexfilelayoutxdr.c:40-41 has the
> same unaligned pattern for UID/GID strings: 8 + uid.len + 8 + gid.len.
> Do you intend to address that calculation as well?
> 
> My preference here is to convert to xdrgen instead, but that's a much
> bigger and less back-portable change.
> 

Yep, I just saw the Sashiko review for it. I'll fix that one up in a
separate patch.

Cheers,
-- 
Jeff Layton <jlayton@kernel.org>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.