I think nfs_fattr_init() ought to set fattr->mdsthreshold to NULL. If the kmalloc()'d attr memory doesn't happen to be zero at fattr->mdsthreshold, and the server returns an unrequested mdsthreshold attribute, then decode_getfattr_attrs() will try to store via the uninitialized pointer in decode_first_threshold_item4(). I've attached a demo program, which I run with slub_debug=FZP: # uname -a Linux (none) 5.15.0-rc7-dirty #78 SMP Mon Nov 15 15:49:15 UTC 2021 riscv64 riscv64 riscv64 GNU/Linux # cc nfs_15.c # ./nfs_15 ... [ 27.950132] decode_attr_mdsthreshold: Warning: Multiple pNFS layout drivers per filesystem not supported [ 27.969630] Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b6b6f [ 28.058092] epc : ffffffff8023dee0 ra : ffffffff8023deb2 sp : ffffffd00055b500 [ 28.231013] status: 0000000200000121 badaddr: 6b6b6b6b6b6b6b6f cause: 000000000000000f [ 28.246069] [<ffffffff8023dee0>] decode_getfattr_attrs+0xdae/0x11fe [ 28.259758] [<ffffffff8023e44e>] decode_getfattr_generic.constprop.0+0x11e/0x1b2 [ 28.275547] [<ffffffff8023ec86>] nfs4_xdr_dec_lookup+0xa2/0xac [ 28.289208] [<ffffffff80754750>] rpcauth_unwrap_resp_decode+0x12/0x1a [ 28.302635] [<ffffffff8075540c>] rpcauth_unwrap_resp+0x12/0x1a [ 28.316324] [<ffffffff8074b7a8>] call_decode+0x112/0x176 [ 28.327634] [<ffffffff80753c8c>] __rpc_execute+0x76/0x216 [ 28.338932] [<ffffffff807542aa>] rpc_execute+0x58/0x7e [ 28.350241] [<ffffffff8074cb34>] rpc_run_task+0x12c/0x16c [ 28.361567] [<ffffffff8022271e>] nfs4_call_sync_custom+0x12/0x32 [ 28.375315] [<ffffffff802227ae>] nfs4_do_call_sync+0x70/0x8c [ 28.389058] [<ffffffff802233ba>] _nfs4_proc_lookup+0xf2/0x11a [ 28.402819] [<ffffffff8022e7ea>] nfs4_proc_lookup_common+0x7c/0x2a2 [ 28.416516] [<ffffffff8022eace>] nfs4_proc_lookup+0x42/0x9e [ 28.427830] [<ffffffff80209c02>] nfs_lookup+0xa6/0x122 [ 28.439138] [<ffffffff80209f18>] nfs_atomic_open+0x29a/0x342 [ 28.452815] [<ffffffff8013756e>] path_openat+0x5ca/0xaf6 [ 28.464063] [<ffffffff80138468>] do_filp_open+0x70/0xd0 [ 28.475375] [<ffffffff801276de>] do_sys_openat2+0x1fc/0x298 [ 28.486697] [<ffffffff80128870>] do_sys_open+0x3c/0x78 [ 28.497986] [<ffffffff801288ee>] sys_openat+0x18/0x20 [ 28.509270] [<ffffffff80003046>] ret_from_syscall+0x0/0x2
Attachment:
nfs_15.c
Description: Binary data