Re: [PATCH V2] nfs:check for user input filehandle size

Linux NFS development
 help / color / mirror / Atom feed

From: Trond Myklebust <trondmy@kernel.org>
To: Mark Brown <broonie@kernel.org>, zhangjian <zhangjian496@huawei.com>
Cc: steved@redhat.com, joannelkoong@gmail.com,
	chuck.lever@oracle.com,  djwong@kernel.org, jlayton@kernel.org,
	okorniev@redhat.com,  Aishwarya.Rambhadran@arm.com,
	linux-nfs@vger.kernel.org, lilingfeng3@huawei.com
Subject: Re: [PATCH V2] nfs:check for user input filehandle size
Date: Mon, 21 Jul 2025 19:07:59 -0400	[thread overview]
Message-ID: <e988251e8c5912a8e2c34ce8efbdcee239e25a59.camel@kernel.org> (raw)
In-Reply-To: <f08bb3e3-3b02-4d00-a787-34b5fc30da1b@sirena.org.uk>

On Mon, 2025-07-21 at 23:16 +0100, Mark Brown wrote:
> On Sun, Jun 29, 2025 at 05:31:07AM +0800, zhangjian wrote:
> > Syzkaller found an slab-out-of-bounds in nfs_fh_to_dentry when the
> > memory
> > of server_fh is not passed from user space. So I add a check for
> > input size.
> > 
> > Log is snipped as following:
> 
> We've been seeing failures in -next on LTP on a range of arm64
> systems
> with NFS roots in the name_to_handle_at01, open_by_handle_at01 and
> open_by_handle_at02 tests.  I bisected the first of these to this
> patch
> which is in -next as e29be1f394a3dbadc4e and does look rather
> plausible.
> 
> Test log:
> 
>        25455 19:32:08.444643  tst_tmpdir.c:316: TINFO: Using /ltp-
> tmp/ltp-hYUZKTq9fM/LTP_namNHNk6a as tmpdir (nfs filesystem)
>         25456 19:32:08.456042  tst_test.c:1900: TINFO: LTP version:
> 20250130-1-g60fe84aaf
>         25457 19:32:08.467435  tst_test.c:1904: TINFO: Tested kernel:
> 6.16.0-rc6-next-20250716 #1 SMP PREEMPT Wed Jul 16 13:20:00 UTC 2025
> aarch64
>         25458 19:32:08.467734  tst_kconfig.c:88: TINFO: Parsing
> kernel config '/proc/config.gz'
>         25459 19:32:08.478825  tst_test.c:1722: TINFO: Overall
> timeout per run is 0h 01m 30s
>         25460 19:32:08.479124  tst_buffers.c:57: TINFO: Test is using
> guarded buffers
>         25461 19:32:08.490212  name_to_handle_at01.c:94: TFAIL:
> open_by_handle_at() failed (0): ESTALE (116)
>         25464 19:32:08.501869  name_to_handle_at01.c:94: TFAIL:
> open_by_handle_at() failed (3): ESTALE (116)
>         25465 19:32:08.512847  name_to_handle_at01.c:94: TFAIL:
> open_by_handle_at() failed
>         25489 19:32:08.672266  Summary:
>         25490 19:32:08.672558  passed   0
>         25491 19:32:08.672788  failed   27
>         26185 19:33:10.208358  tst_tmpdir.c:316: TINFO: Using /ltp-
> tmp/ltp-hYUZKTq9fM/LTP_opeiSM8q7 as tmpdir (nfs filesystem)
>         26188 19:33:10.231165  tst_kconfig.c:88: TINFO: Parsing
> kernel config '/proc/config.gz'
>         26189 19:33:10.231460  tst_test.c:1722: TINFO: Overall
> timeout per run is 0h 01m 30s
>         26190 19:33:10.242485  tst_buffers.c:57: TINFO: Test is using
> guarded buffers
>         26191 19:33:10.253938  open_by_handle_at02.c:98: TPASS:
> invalid-dfd: open_by_handle_at() failed as expected: EBADF (9)
>         26192 19:33:10.254233  open_by_handle_at02.c:98: TPASS:
> stale-dfd: open_by_handle_at() failed as expected: ESTALE (116)
>         26196 19:33:10.288302  tst_capability.c:29: TINFO: Dropping
> CAP_DAC_READ_SEARCH(2)
>         26197 19:33:10.299325  tst_capability.c:41: TINFO: Permitting
> CAP_DAC_READ_SEARCH(2)
>         26198 19:33:10.310836  open_by_handle_at02.c:98: TPASS: no-
> capability: open_by_handle_at() failed as expected: EPERM (1)
>         26199 19:33:10.311132  open_by_handle_at02.c:92: TFAIL:
> symlink: open_by_handle_at() should fail with ELOOP: ESTALE (116)
>         26201 19:33:10.311579  Summary:
>         26202 19:33:10.311782  passed   6
>         26203 19:33:10.322143  failed   1
>         26163 19:33:10.106087  tst_tmpdir.c:316: TINFO: Using /ltp-
> tmp/ltp-hYUZKTq9fM/LTP_opeJvSZuG as tmpdir (nfs filesystem)
>         26166 19:33:10.117795  tst_kconfig.c:88: TINFO: Parsing
> kernel config '/proc/config.gz'
>         26167 19:33:10.128809  tst_test.c:1722: TINFO: Overall
> timeout per run is 0h 01m 30s
>         26168 19:33:10.129102  tst_buffers.c:57: TINFO: Test is using
> guarded buffers
>         26169 19:33:10.140117  open_by_handle_at01.c:93: TFAIL:
> open_by_handle_at() failed (0): ESTALE (116)
>         26170 19:33:10.151537  open_by_handle_at01.c:93: TFAIL:
> open_by_handle_at() failed (1): ESTALE (116)
>         26177 19:33:10.197165  open_by_handle_at01.c:93: TFAIL:
> open_by_handle_at() failed (8): ESTALE (116)
>         26179 19:33:10.197714  Summary:
>         26180 19:33:10.197929  passed   0
>         26181 19:33:10.198134  failed   9
> 
> Bisect log:
> 
> git bisect start
> # status: waiting for both good and bad commits
> # bad: [97987520025658f30bb787a99ffbd9bbff9ffc9d] Add linux-next
> specific files for 20250721
> git bisect bad 97987520025658f30bb787a99ffbd9bbff9ffc9d
> # status: waiting for good commit(s), bad commit known
> # good: [922467c8223bfa20435da8c9b1c99285aac735ff] Merge branch 'for-
> linux-next-fixes' of
> https://gitlab.freedesktop.org/drm/misc/kernel.git
> git bisect good 922467c8223bfa20435da8c9b1c99285aac735ff
> # bad: [73d0e6df78d50bd07d097a76eddc99cd89864d09] Merge branch 'main'
> of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git
> git bisect bad 73d0e6df78d50bd07d097a76eddc99cd89864d09
> # bad: [4ff8b17af7757fd16152eb8262c599129c8f5498] Merge branch 'fs-
> next' of linux-next
> git bisect bad 4ff8b17af7757fd16152eb8262c599129c8f5498
> # good: [13c60604ff678ac477521d9846fc2f75f0972e4b] Merge branch 'for-
> next' of https://github.com/sophgo/linux.git
> git bisect good 13c60604ff678ac477521d9846fc2f75f0972e4b
> # bad: [dce9a77d74cf572c1348d9d47cd79e7b61580f56] Merge branch 'for-
> next' of
> git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/zonefs.git
> git bisect bad dce9a77d74cf572c1348d9d47cd79e7b61580f56
> # good: [11581c89066a19d050d12b002609ade30bb39ece] Merge branch 'for-
> next' of
> git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux.git
> git bisect good 11581c89066a19d050d12b002609ade30bb39ece
> # good: [1d4e5eefd114eeb35449a8bcbbaa968baaa591e3] Merge branch 'dev'
> of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
> git bisect good 1d4e5eefd114eeb35449a8bcbbaa968baaa591e3
> # bad: [38a098af636b698e5e14978de4accdc8a5173e24] Merge branch
> 'linux-next' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6.git
> git bisect bad 38a098af636b698e5e14978de4accdc8a5173e24
> # good: [bce0d4cf481614eb1f0817a233d9479d609bd0a8] Merge branch
> 'ksmbd-for-next' of https://github.com/smfrench/smb3-kernel.git
> git bisect good bce0d4cf481614eb1f0817a233d9479d609bd0a8
> # good: [90c9550a8d65fb9b1bf87baf97a04ed91bf61b33] NFS: support the
> kernel keyring for TLS
> git bisect good 90c9550a8d65fb9b1bf87baf97a04ed91bf61b33
> # good: [d897d81671bc4615c80f4f3bd5e6b218f59df50c] pNFS: Handle RPC
> size limit for layoutcommits
> git bisect good d897d81671bc4615c80f4f3bd5e6b218f59df50c
> # bad: [e29be1f394a3dbadc4e5d198dfc822d49569bb52] nfs:check for user
> input filehandle size
> git bisect bad e29be1f394a3dbadc4e5d198dfc822d49569bb52
> # good: [7db6e66663681abda54f81d5916db3a3b8b1a13d] pNFS: Fix disk
> addr range check in block/scsi layout
> git bisect good 7db6e66663681abda54f81d5916db3a3b8b1a13d
> # first bad commit: [e29be1f394a3dbadc4e5d198dfc822d49569bb52]
> nfs:check for user input filehandle size

Thanks for the heads-up Mark! I'll back this patch out for now.

-- 
Trond Myklebust
Linux NFS client maintainer, Hammerspace
trondmy@kernel.org, trond.myklebust@hammerspace.com

next prev parent reply	other threads:[~2025-07-21 23:08 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-06-28 21:31 [PATCH V2] nfs:check for user input filehandle size zhangjian
2025-07-21 22:16 ` Mark Brown
2025-07-21 23:07   ` Trond Myklebust [this message]
  -- strict thread matches above, loose matches on Subject: below --
2025-06-26 20:20 zhangjian
2025-06-26  6:31 ` Li Lingfeng
2025-06-26  6:43   ` zhangjian (CG)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e988251e8c5912a8e2c34ce8efbdcee239e25a59.camel@kernel.org \
    --to=trondmy@kernel.org \
    --cc=Aishwarya.Rambhadran@arm.com \
    --cc=broonie@kernel.org \
    --cc=chuck.lever@oracle.com \
    --cc=djwong@kernel.org \
    --cc=jlayton@kernel.org \
    --cc=joannelkoong@gmail.com \
    --cc=lilingfeng3@huawei.com \
    --cc=linux-nfs@vger.kernel.org \
    --cc=okorniev@redhat.com \
    --cc=steved@redhat.com \
    --cc=zhangjian496@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox