Patch "NFSD: Avoid calling OPDESC() with ops->opnum == OP_ILLEGAL" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 9 Apr 2023 08:36:41 -0400

This is a note to let you know that I've just added the patch titled

    NFSD: Avoid calling OPDESC() with ops->opnum == OP_ILLEGAL

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     nfsd-avoid-calling-opdesc-with-ops-opnum-op_illegal.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 2f4978280f1aedb1ee37f29075670d1bb4d87abd
Author: Chuck Lever <chuck.lever@xxxxxxxxxx>
Date:   Fri Mar 31 16:31:19 2023 -0400

    NFSD: Avoid calling OPDESC() with ops->opnum == OP_ILLEGAL
    
    [ Upstream commit 804d8e0a6e54427268790472781e03bc243f4ee3 ]
    
    OPDESC() simply indexes into nfsd4_ops[] by the op's operation
    number, without range checking that value. It assumes callers are
    careful to avoid calling it with an out-of-bounds opnum value.
    
    nfsd4_decode_compound() is not so careful, and can invoke OPDESC()
    with opnum set to OP_ILLEGAL, which is 10044 -- well beyond the end
    of nfsd4_ops[].
    
    Reported-by: Jeff Layton <jlayton@xxxxxxxxxx>
    Fixes: f4f9ef4a1b0a ("nfsd4: opdesc will be useful outside nfs4proc.c")
    Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index dfd3877fdd818..0394dd60a0b47 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -2370,10 +2370,12 @@ nfsd4_decode_compound(struct nfsd4_compoundargs *argp)
 	for (i = 0; i < argp->opcnt; i++) {
 		op = &argp->ops[i];
 		op->replay = NULL;
+		op->opdesc = NULL;
 
 		if (xdr_stream_decode_u32(argp->xdr, &op->opnum) < 0)
 			return 0;
 		if (nfsd4_opnum_in_range(argp, op)) {
+			op->opdesc = OPDESC(op);
 			op->status = nfsd4_dec_ops[op->opnum](argp, &op->u);
 			if (op->status != nfs_ok)
 				trace_nfsd_compound_decode_err(argp->rqstp,
@@ -2384,7 +2386,7 @@ nfsd4_decode_compound(struct nfsd4_compoundargs *argp)
 			op->opnum = OP_ILLEGAL;
 			op->status = nfserr_op_illegal;
 		}
-		op->opdesc = OPDESC(op);
+
 		/*
 		 * We'll try to cache the result in the DRC if any one
 		 * op in the compound wants to be cached:






