> On Nov 16, 2022, at 07:15, Denis Arefev <arefev@xxxxxxxxx> wrote: > > [You don't often get email from arefev@xxxxxxxxx. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] > > Return value of a function 'xdr_inline_decode' is dereferenced at > nfs4xdr.c:5540 without checking for null, > ut it is usually checked for this function > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Signed-off-by: Denis Arefev <arefev@xxxxxxxxx> > --- > fs/nfs/nfs4xdr.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c > index c6dbfcae7517..571cc63ecb61 100644 > --- a/fs/nfs/nfs4xdr.c > +++ b/fs/nfs/nfs4xdr.c > @@ -5533,6 +5533,8 @@ static int decode_op_map(struct xdr_stream *xdr, struct nfs4_op_map *op_map) > if (bitmap_words > NFS4_OP_MAP_NUM_WORDS) > return -EIO; > p = xdr_inline_decode(xdr, 4 * bitmap_words); > + if (!p) > + return -EIO; > for (i = 0; i < bitmap_words; i++) > op_map->u.words[i] = be32_to_cpup(p++); > This bug was fixed in Linux 5.16 and newer by commit f114759c322e ("NFSv4: Fix potential Oops in decode_op_map()”). _________________________________ Trond Myklebust Linux NFS client maintainer, Hammerspace trond.myklebust@xxxxxxxxxxxxxxx
