summaryrefslogtreecommitdiff
path: root/scripts/git.orderFile
diff options
context:
space:
mode:
authorMichael Bommarito <michael.bommarito@gmail.com>2026-05-13 19:26:56 +0300
committerAnna Schumaker <anna.schumaker@hammerspace.com>2026-06-08 17:21:55 +0300
commit2c6bb3c40bc24f6aa8dfbe6fe98c3ad6389203f2 (patch)
tree49fb333edb94551ca1fa10d385ebb57875557026 /scripts/git.orderFile
parent37957478be021b92981aa4c99b69f308d3b784d0 (diff)
downloadlinux-2c6bb3c40bc24f6aa8dfbe6fe98c3ad6389203f2.tar.xz
NFSv4/flexfiles: reject zero filehandle version count
ff_layout_alloc_lseg() decodes the filehandle-version array count from the flexfiles layout body. The value is used as the count for kzalloc_objs(), and the current code only rejects NULL. A zero count yields ZERO_SIZE_PTR, which can be stored in dss_info->fh_versions even though later flexfiles paths assume that at least one filehandle version exists. Reject fh_count == 0 before the allocation, matching the existing zero version_count validation in the flexfiles GETDEVICEINFO parser. A QEMU/KASAN run with a malformed flexfiles layout hit: KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] RIP: 0010:ff_layout_encode_ff_layoutupdate.isra.0+0x15f/0x750 ff_layout_encode_layoutreturn+0x683/0x970 nfs4_xdr_enc_layoutreturn+0x278/0x3a0 Kernel panic - not syncing: Fatal exception The patched kernel rejects the malformed layout without KASAN/oops/panic, and a valid fh_count=1 regression still opens, reads, and unmounts cleanly. Cc: stable@vger.kernel.org Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver") Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
Diffstat (limited to 'scripts/git.orderFile')
0 files changed, 0 insertions, 0 deletions