Re: [PATCH V2] nfs:check for user input filehandle size

Re: [PATCH V2] nfs:check for user input filehandle size

[Li Lingfeng]

Hi, Zhang Jian

server_fh is obtained via (struct nfs_fh *)(p + EMBED_FH_OFF). Shouldn't
the condition (char*)server_fh <= (char*)p always be false?
Additionally, (u32*)server_fh - (u32*)p + 1 appears to be a fixed value.
Why use such an expression?
Finally, fh_len is derived from user-provided handle->handle_bytes. Is
this reliable?

By the way, you shouldn't add Anna and Benjamin's Reviewd-by, because they
haven't seen this version of your changes, and they also have some
comments on your previous version of changes. Also, Jeff only gave
Reviewd-by for your previous version of changes, and your new version of
changes is different from the previous one, so you shouldn't add it.

Thanks,
Lingfeng.
在 2025/6/27 4:20, zhangjian 写道:
> Syzkaller found an slab-out-of-bounds in nfs_fh_to_dentry when the memory
> of server_fh is not passed from user space. So I add a check for input size.
>
> Log is snipped as following:
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in nfs_fh_to_dentry+0x4ad/0x6d0 fs/nfs/export.c:70
> Read of size 2 at addr ffff888100b9ffd4 by task syz-executor301/755
>
> CPU: 1 PID: 755 Comm: syz-executor301 Tainted: G        W         5.10.0 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
> Call Trace:
>   __dump_stack lib/dump_stack.c:82 [inline]
>   dump_stack+0x107/0x167 lib/dump_stack.c:123
>   print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400
>   __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560
>   kasan_report+0x3a/0x50 mm/kasan/report.c:585
>   nfs_fh_to_dentry+0x4ad/0x6d0 fs/nfs/export.c:70
>   exportfs_decode_fh_raw+0x128/0x680 fs/exportfs/expfs.c:436
>   exportfs_decode_fh+0x3d/0x90 fs/exportfs/expfs.c:575
>   do_handle_to_path fs/fhandle.c:152 [inline]
>   handle_to_path fs/fhandle.c:207 [inline]
>   do_handle_open+0x2c3/0x8d0 fs/fhandle.c:223
>   do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
>   entry_SYSCALL_64_after_hwframe+0x67/0xd1
> ==================================================================
>
> Signed-off-by: zhangjian <zhangjian496@huawei.com>
> Reviewed-by: Jeff Layton <jlayton@kernel.org>
> Reviewed-by: Anna Schumaker <anna.schumaker@oracle.com>
> Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
> ---
>   fs/nfs/export.c | 11 +++++++++--
>   1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/fs/nfs/export.c b/fs/nfs/export.c
> index e9c233b6f..565e01788 100644
> --- a/fs/nfs/export.c
> +++ b/fs/nfs/export.c
> @@ -66,14 +66,21 @@ nfs_fh_to_dentry(struct super_block *sb, struct fid *fid,
>   {
>   	struct nfs_fattr *fattr = NULL;
>   	struct nfs_fh *server_fh = nfs_exp_embedfh(fid->raw);
> -	size_t fh_size = offsetof(struct nfs_fh, data) + server_fh->size;
> +	size_t fh_size;
>   	const struct nfs_rpc_ops *rpc_ops;
>   	struct dentry *dentry;
>   	struct inode *inode;
> -	int len = EMBED_FH_OFF + XDR_QUADLEN(fh_size);
> +	int len;
>   	u32 *p = fid->raw;
>   	int ret;
>   
> +	/* check for user input size */
> +	if ((char*)server_fh <= (char*)p || (int)((u32*)server_fh - (u32*)p + 1) < fh_len)
> +		return ERR_PTR(-EINVAL);
> +
> +	fh_size = offsetof(struct nfs_fh, data) + server_fh->size;
> +	len = EMBED_FH_OFF + XDR_QUADLEN(fh_size);
> +
>   	/* NULL translates to ESTALE */
>   	if (fh_len < len || fh_type != len)
>   		return NULL;

Re: [PATCH V2] nfs:check for user input filehandle size

[zhangjian (CG)]

Sorry，I don't know reviewd-by is not allowed when there exists changes.

server_fh is obtained from nfs_exp_embedfh(fid->raw) but nfs_exp_embedfh
may be changed. Calculate by hand may be more safer.

fid->raw memory is copy_from_user in handle_to_path, which guarantee
[fid->raw: fid->raw + 4*fh_len ] memory is copied from userspace. So it
can be reliable.

Thanks for your criticism and guidance.

On 2025/6/26 14:31, Li Lingfeng wrote:
> Hi, Zhang Jian
> 
> server_fh is obtained via (struct nfs_fh *)(p + EMBED_FH_OFF). Shouldn't
> the condition (char*)server_fh <= (char*)p always be false?
> Additionally, (u32*)server_fh - (u32*)p + 1 appears to be a fixed value.
> Why use such an expression?
> Finally, fh_len is derived from user-provided handle->handle_bytes. Is
> this reliable?
> 
> By the way, you shouldn't add Anna and Benjamin's Reviewd-by, because they
> haven't seen this version of your changes, and they also have some
> comments on your previous version of changes. Also, Jeff only gave
> Reviewd-by for your previous version of changes, and your new version of
> changes is different from the previous one, so you shouldn't add it.
> 
> Thanks,
> Lingfeng.
> 在 2025/6/27 4:20, zhangjian 写道:
>> Syzkaller found an slab-out-of-bounds in nfs_fh_to_dentry when the memory
>> of server_fh is not passed from user space. So I add a check for input
>> size.
>>
>> Log is snipped as following:
>>
>> ==================================================================
>> BUG: KASAN: slab-out-of-bounds in nfs_fh_to_dentry+0x4ad/0x6d0 fs/nfs/
>> export.c:70
>> Read of size 2 at addr ffff888100b9ffd4 by task syz-executor301/755
>>
>> CPU: 1 PID: 755 Comm: syz-executor301 Tainted: G        W        
>> 5.10.0 #1
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>> 1.13.0-1ubuntu1.1 04/01/2014
>> Call Trace:
>>   __dump_stack lib/dump_stack.c:82 [inline]
>>   dump_stack+0x107/0x167 lib/dump_stack.c:123
>>   print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400
>>   __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560
>>   kasan_report+0x3a/0x50 mm/kasan/report.c:585
>>   nfs_fh_to_dentry+0x4ad/0x6d0 fs/nfs/export.c:70
>>   exportfs_decode_fh_raw+0x128/0x680 fs/exportfs/expfs.c:436
>>   exportfs_decode_fh+0x3d/0x90 fs/exportfs/expfs.c:575
>>   do_handle_to_path fs/fhandle.c:152 [inline]
>>   handle_to_path fs/fhandle.c:207 [inline]
>>   do_handle_open+0x2c3/0x8d0 fs/fhandle.c:223
>>   do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
>>   entry_SYSCALL_64_after_hwframe+0x67/0xd1
>> ==================================================================
>>
>> Signed-off-by: zhangjian <zhangjian496@huawei.com>
>> Reviewed-by: Jeff Layton <jlayton@kernel.org>
>> Reviewed-by: Anna Schumaker <anna.schumaker@oracle.com>
>> Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
>> ---
>>   fs/nfs/export.c | 11 +++++++++--
>>   1 file changed, 9 insertions(+), 2 deletions(-)
>>
>> diff --git a/fs/nfs/export.c b/fs/nfs/export.c
>> index e9c233b6f..565e01788 100644
>> --- a/fs/nfs/export.c
>> +++ b/fs/nfs/export.c
>> @@ -66,14 +66,21 @@ nfs_fh_to_dentry(struct super_block *sb, struct
>> fid *fid,
>>   {
>>       struct nfs_fattr *fattr = NULL;
>>       struct nfs_fh *server_fh = nfs_exp_embedfh(fid->raw);
>> -    size_t fh_size = offsetof(struct nfs_fh, data) + server_fh->size;
>> +    size_t fh_size;
>>       const struct nfs_rpc_ops *rpc_ops;
>>       struct dentry *dentry;
>>       struct inode *inode;
>> -    int len = EMBED_FH_OFF + XDR_QUADLEN(fh_size);
>> +    int len;
>>       u32 *p = fid->raw;
>>       int ret;
>>   +    /* check for user input size */
>> +    if ((char*)server_fh <= (char*)p || (int)((u32*)server_fh -
>> (u32*)p + 1) < fh_len)
>> +        return ERR_PTR(-EINVAL);
>> +
>> +    fh_size = offsetof(struct nfs_fh, data) + server_fh->size;
>> +    len = EMBED_FH_OFF + XDR_QUADLEN(fh_size);
>> +
>>       /* NULL translates to ESTALE */
>>       if (fh_len < len || fh_type != len)
>>           return NULL;

[PATCH V2] nfs:check for user input filehandle size

[zhangjian]

Syzkaller found an slab-out-of-bounds in nfs_fh_to_dentry when the memory
of server_fh is not passed from user space. So I add a check for input size.

Log is snipped as following:

==================================================================
BUG: KASAN: slab-out-of-bounds in nfs_fh_to_dentry+0x4ad/0x6d0 fs/nfs/export.c:70
Read of size 2 at addr ffff888100b9ffd4 by task syz-executor301/755

CPU: 1 PID: 755 Comm: syz-executor301 Tainted: G        W         5.10.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:82 [inline]
 dump_stack+0x107/0x167 lib/dump_stack.c:123
 print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400
 __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560
 kasan_report+0x3a/0x50 mm/kasan/report.c:585
 nfs_fh_to_dentry+0x4ad/0x6d0 fs/nfs/export.c:70
 exportfs_decode_fh_raw+0x128/0x680 fs/exportfs/expfs.c:436
 exportfs_decode_fh+0x3d/0x90 fs/exportfs/expfs.c:575
 do_handle_to_path fs/fhandle.c:152 [inline]
 handle_to_path fs/fhandle.c:207 [inline]
 do_handle_open+0x2c3/0x8d0 fs/fhandle.c:223
 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x67/0xd1
==================================================================

Signed-off-by: zhangjian <zhangjian496@huawei.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: Anna Schumaker <anna.schumaker@oracle.com>
Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
---
 fs/nfs/export.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/fs/nfs/export.c b/fs/nfs/export.c
index e9c233b6f..565e01788 100644
--- a/fs/nfs/export.c
+++ b/fs/nfs/export.c
@@ -66,14 +66,21 @@ nfs_fh_to_dentry(struct super_block *sb, struct fid *fid,
 {
 	struct nfs_fattr *fattr = NULL;
 	struct nfs_fh *server_fh = nfs_exp_embedfh(fid->raw);
-	size_t fh_size = offsetof(struct nfs_fh, data) + server_fh->size;
+	size_t fh_size;
 	const struct nfs_rpc_ops *rpc_ops;
 	struct dentry *dentry;
 	struct inode *inode;
-	int len = EMBED_FH_OFF + XDR_QUADLEN(fh_size);
+	int len;
 	u32 *p = fid->raw;
 	int ret;
 
+	/* check for user input size */
+	if ((char*)server_fh <= (char*)p || (int)((u32*)server_fh - (u32*)p + 1) < fh_len)
+		return ERR_PTR(-EINVAL);
+
+	fh_size = offsetof(struct nfs_fh, data) + server_fh->size;
+	len = EMBED_FH_OFF + XDR_QUADLEN(fh_size);
+
 	/* NULL translates to ESTALE */
 	if (fh_len < len || fh_type != len)
 		return NULL;
-- 
2.33.0

[PATCH V2] nfs:check for user input filehandle size

[zhangjian]

Syzkaller found an slab-out-of-bounds in nfs_fh_to_dentry when the memory
of server_fh is not passed from user space. So I add a check for input size.

Log is snipped as following:

==================================================================
BUG: KASAN: slab-out-of-bounds in nfs_fh_to_dentry+0x4ad/0x6d0 fs/nfs/
export.c:70
Read of size 2 at addr ffff888100b9ffd4 by task syz-executor301/755

CPU: 1 PID: 755 Comm: syz-executor301 Tainted: G        W
5.10.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
  __dump_stack lib/dump_stack.c:82 [inline]
  dump_stack+0x107/0x167 lib/dump_stack.c:123
  print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400
  __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560
  kasan_report+0x3a/0x50 mm/kasan/report.c:585
  nfs_fh_to_dentry+0x4ad/0x6d0 fs/nfs/export.c:70
  exportfs_decode_fh_raw+0x128/0x680 fs/exportfs/expfs.c:436
  exportfs_decode_fh+0x3d/0x90 fs/exportfs/expfs.c:575
  do_handle_to_path fs/fhandle.c:152 [inline]
  handle_to_path fs/fhandle.c:207 [inline]
  do_handle_open+0x2c3/0x8d0 fs/fhandle.c:223
  do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
  entry_SYSCALL_64_after_hwframe+0x67/0xd1
==================================================================

V2:
- Fix mistake: add back server_fh initialization and move len initialization
  bellow user input size checking.

Signed-off-by: zhangjian <zhangjian496@huawei.com>
---
 fs/nfs/export.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/fs/nfs/export.c b/fs/nfs/export.c
index e9c233b6f..565e01788 100644
--- a/fs/nfs/export.c
+++ b/fs/nfs/export.c
@@ -66,14 +66,21 @@ nfs_fh_to_dentry(struct super_block *sb, struct fid *fid,
 {
 	struct nfs_fattr *fattr = NULL;
 	struct nfs_fh *server_fh = nfs_exp_embedfh(fid->raw);
-	size_t fh_size = offsetof(struct nfs_fh, data) + server_fh->size;
+	size_t fh_size;
 	const struct nfs_rpc_ops *rpc_ops;
 	struct dentry *dentry;
 	struct inode *inode;
-	int len = EMBED_FH_OFF + XDR_QUADLEN(fh_size);
+	int len;
 	u32 *p = fid->raw;
 	int ret;
 
+	/* check for user input size */
+	if ((char*)server_fh <= (char*)p || (int)((u32*)server_fh - (u32*)p + 1) < fh_len)
+		return ERR_PTR(-EINVAL);
+
+	fh_size = offsetof(struct nfs_fh, data) + server_fh->size;
+	len = EMBED_FH_OFF + XDR_QUADLEN(fh_size);
+
 	/* NULL translates to ESTALE */
 	if (fh_len < len || fh_type != len)
 		return NULL;
-- 
2.33.0

Re: [PATCH V2] nfs:check for user input filehandle size

[Mark Brown]

[-- Attachment #1: Type: text/plain, Size: 6441 bytes --]

On Sun, Jun 29, 2025 at 05:31:07AM +0800, zhangjian wrote:
> Syzkaller found an slab-out-of-bounds in nfs_fh_to_dentry when the memory
> of server_fh is not passed from user space. So I add a check for input size.
> 
> Log is snipped as following:

We've been seeing failures in -next on LTP on a range of arm64 systems
with NFS roots in the name_to_handle_at01, open_by_handle_at01 and
open_by_handle_at02 tests.  I bisected the first of these to this patch
which is in -next as e29be1f394a3dbadc4e and does look rather plausible.

Test log:

       25455 19:32:08.444643  tst_tmpdir.c:316: TINFO: Using /ltp-tmp/ltp-hYUZKTq9fM/LTP_namNHNk6a as tmpdir (nfs filesystem)
        25456 19:32:08.456042  tst_test.c:1900: TINFO: LTP version: 20250130-1-g60fe84aaf
        25457 19:32:08.467435  tst_test.c:1904: TINFO: Tested kernel: 6.16.0-rc6-next-20250716 #1 SMP PREEMPT Wed Jul 16 13:20:00 UTC 2025 aarch64
        25458 19:32:08.467734  tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
        25459 19:32:08.478825  tst_test.c:1722: TINFO: Overall timeout per run is 0h 01m 30s
        25460 19:32:08.479124  tst_buffers.c:57: TINFO: Test is using guarded buffers
        25461 19:32:08.490212  name_to_handle_at01.c:94: TFAIL: open_by_handle_at() failed (0): ESTALE (116)
        25464 19:32:08.501869  name_to_handle_at01.c:94: TFAIL: open_by_handle_at() failed (3): ESTALE (116)
        25465 19:32:08.512847  name_to_handle_at01.c:94: TFAIL: open_by_handle_at() failed
        25489 19:32:08.672266  Summary:
        25490 19:32:08.672558  passed   0
        25491 19:32:08.672788  failed   27
        26185 19:33:10.208358  tst_tmpdir.c:316: TINFO: Using /ltp-tmp/ltp-hYUZKTq9fM/LTP_opeiSM8q7 as tmpdir (nfs filesystem)
        26188 19:33:10.231165  tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
        26189 19:33:10.231460  tst_test.c:1722: TINFO: Overall timeout per run is 0h 01m 30s
        26190 19:33:10.242485  tst_buffers.c:57: TINFO: Test is using guarded buffers
        26191 19:33:10.253938  open_by_handle_at02.c:98: TPASS: invalid-dfd: open_by_handle_at() failed as expected: EBADF (9)
        26192 19:33:10.254233  open_by_handle_at02.c:98: TPASS: stale-dfd: open_by_handle_at() failed as expected: ESTALE (116)
        26196 19:33:10.288302  tst_capability.c:29: TINFO: Dropping CAP_DAC_READ_SEARCH(2)
        26197 19:33:10.299325  tst_capability.c:41: TINFO: Permitting CAP_DAC_READ_SEARCH(2)
        26198 19:33:10.310836  open_by_handle_at02.c:98: TPASS: no-capability: open_by_handle_at() failed as expected: EPERM (1)
        26199 19:33:10.311132  open_by_handle_at02.c:92: TFAIL: symlink: open_by_handle_at() should fail with ELOOP: ESTALE (116)
        26201 19:33:10.311579  Summary:
        26202 19:33:10.311782  passed   6
        26203 19:33:10.322143  failed   1
        26163 19:33:10.106087  tst_tmpdir.c:316: TINFO: Using /ltp-tmp/ltp-hYUZKTq9fM/LTP_opeJvSZuG as tmpdir (nfs filesystem)
        26166 19:33:10.117795  tst_kconfig.c:88: TINFO: Parsing kernel config '/proc/config.gz'
        26167 19:33:10.128809  tst_test.c:1722: TINFO: Overall timeout per run is 0h 01m 30s
        26168 19:33:10.129102  tst_buffers.c:57: TINFO: Test is using guarded buffers
        26169 19:33:10.140117  open_by_handle_at01.c:93: TFAIL: open_by_handle_at() failed (0): ESTALE (116)
        26170 19:33:10.151537  open_by_handle_at01.c:93: TFAIL: open_by_handle_at() failed (1): ESTALE (116)
        26177 19:33:10.197165  open_by_handle_at01.c:93: TFAIL: open_by_handle_at() failed (8): ESTALE (116)
        26179 19:33:10.197714  Summary:
        26180 19:33:10.197929  passed   0
        26181 19:33:10.198134  failed   9

Bisect log:

git bisect start
# status: waiting for both good and bad commits
# bad: [97987520025658f30bb787a99ffbd9bbff9ffc9d] Add linux-next specific files for 20250721
git bisect bad 97987520025658f30bb787a99ffbd9bbff9ffc9d
# status: waiting for good commit(s), bad commit known
# good: [922467c8223bfa20435da8c9b1c99285aac735ff] Merge branch 'for-linux-next-fixes' of https://gitlab.freedesktop.org/drm/misc/kernel.git
git bisect good 922467c8223bfa20435da8c9b1c99285aac735ff
# bad: [73d0e6df78d50bd07d097a76eddc99cd89864d09] Merge branch 'main' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git
git bisect bad 73d0e6df78d50bd07d097a76eddc99cd89864d09
# bad: [4ff8b17af7757fd16152eb8262c599129c8f5498] Merge branch 'fs-next' of linux-next
git bisect bad 4ff8b17af7757fd16152eb8262c599129c8f5498
# good: [13c60604ff678ac477521d9846fc2f75f0972e4b] Merge branch 'for-next' of https://github.com/sophgo/linux.git
git bisect good 13c60604ff678ac477521d9846fc2f75f0972e4b
# bad: [dce9a77d74cf572c1348d9d47cd79e7b61580f56] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/zonefs.git
git bisect bad dce9a77d74cf572c1348d9d47cd79e7b61580f56
# good: [11581c89066a19d050d12b002609ade30bb39ece] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux.git
git bisect good 11581c89066a19d050d12b002609ade30bb39ece
# good: [1d4e5eefd114eeb35449a8bcbbaa968baaa591e3] Merge branch 'dev' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
git bisect good 1d4e5eefd114eeb35449a8bcbbaa968baaa591e3
# bad: [38a098af636b698e5e14978de4accdc8a5173e24] Merge branch 'linux-next' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6.git
git bisect bad 38a098af636b698e5e14978de4accdc8a5173e24
# good: [bce0d4cf481614eb1f0817a233d9479d609bd0a8] Merge branch 'ksmbd-for-next' of https://github.com/smfrench/smb3-kernel.git
git bisect good bce0d4cf481614eb1f0817a233d9479d609bd0a8
# good: [90c9550a8d65fb9b1bf87baf97a04ed91bf61b33] NFS: support the kernel keyring for TLS
git bisect good 90c9550a8d65fb9b1bf87baf97a04ed91bf61b33
# good: [d897d81671bc4615c80f4f3bd5e6b218f59df50c] pNFS: Handle RPC size limit for layoutcommits
git bisect good d897d81671bc4615c80f4f3bd5e6b218f59df50c
# bad: [e29be1f394a3dbadc4e5d198dfc822d49569bb52] nfs:check for user input filehandle size
git bisect bad e29be1f394a3dbadc4e5d198dfc822d49569bb52
# good: [7db6e66663681abda54f81d5916db3a3b8b1a13d] pNFS: Fix disk addr range check in block/scsi layout
git bisect good 7db6e66663681abda54f81d5916db3a3b8b1a13d
# first bad commit: [e29be1f394a3dbadc4e5d198dfc822d49569bb52] nfs:check for user input filehandle size

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 484 bytes --]

Re: [PATCH V2] nfs:check for user input filehandle size

[Trond Myklebust]

On Mon, 2025-07-21 at 23:16 +0100, Mark Brown wrote:
> On Sun, Jun 29, 2025 at 05:31:07AM +0800, zhangjian wrote:
> > Syzkaller found an slab-out-of-bounds in nfs_fh_to_dentry when the
> > memory
> > of server_fh is not passed from user space. So I add a check for
> > input size.
> > 
> > Log is snipped as following:
> 
> We've been seeing failures in -next on LTP on a range of arm64
> systems
> with NFS roots in the name_to_handle_at01, open_by_handle_at01 and
> open_by_handle_at02 tests.  I bisected the first of these to this
> patch
> which is in -next as e29be1f394a3dbadc4e and does look rather
> plausible.
> 
> Test log:
> 
>        25455 19:32:08.444643  tst_tmpdir.c:316: TINFO: Using /ltp-
> tmp/ltp-hYUZKTq9fM/LTP_namNHNk6a as tmpdir (nfs filesystem)
>         25456 19:32:08.456042  tst_test.c:1900: TINFO: LTP version:
> 20250130-1-g60fe84aaf
>         25457 19:32:08.467435  tst_test.c:1904: TINFO: Tested kernel:
> 6.16.0-rc6-next-20250716 #1 SMP PREEMPT Wed Jul 16 13:20:00 UTC 2025
> aarch64
>         25458 19:32:08.467734  tst_kconfig.c:88: TINFO: Parsing
> kernel config '/proc/config.gz'
>         25459 19:32:08.478825  tst_test.c:1722: TINFO: Overall
> timeout per run is 0h 01m 30s
>         25460 19:32:08.479124  tst_buffers.c:57: TINFO: Test is using
> guarded buffers
>         25461 19:32:08.490212  name_to_handle_at01.c:94: TFAIL:
> open_by_handle_at() failed (0): ESTALE (116)
>         25464 19:32:08.501869  name_to_handle_at01.c:94: TFAIL:
> open_by_handle_at() failed (3): ESTALE (116)
>         25465 19:32:08.512847  name_to_handle_at01.c:94: TFAIL:
> open_by_handle_at() failed
>         25489 19:32:08.672266  Summary:
>         25490 19:32:08.672558  passed   0
>         25491 19:32:08.672788  failed   27
>         26185 19:33:10.208358  tst_tmpdir.c:316: TINFO: Using /ltp-
> tmp/ltp-hYUZKTq9fM/LTP_opeiSM8q7 as tmpdir (nfs filesystem)
>         26188 19:33:10.231165  tst_kconfig.c:88: TINFO: Parsing
> kernel config '/proc/config.gz'
>         26189 19:33:10.231460  tst_test.c:1722: TINFO: Overall
> timeout per run is 0h 01m 30s
>         26190 19:33:10.242485  tst_buffers.c:57: TINFO: Test is using
> guarded buffers
>         26191 19:33:10.253938  open_by_handle_at02.c:98: TPASS:
> invalid-dfd: open_by_handle_at() failed as expected: EBADF (9)
>         26192 19:33:10.254233  open_by_handle_at02.c:98: TPASS:
> stale-dfd: open_by_handle_at() failed as expected: ESTALE (116)
>         26196 19:33:10.288302  tst_capability.c:29: TINFO: Dropping
> CAP_DAC_READ_SEARCH(2)
>         26197 19:33:10.299325  tst_capability.c:41: TINFO: Permitting
> CAP_DAC_READ_SEARCH(2)
>         26198 19:33:10.310836  open_by_handle_at02.c:98: TPASS: no-
> capability: open_by_handle_at() failed as expected: EPERM (1)
>         26199 19:33:10.311132  open_by_handle_at02.c:92: TFAIL:
> symlink: open_by_handle_at() should fail with ELOOP: ESTALE (116)
>         26201 19:33:10.311579  Summary:
>         26202 19:33:10.311782  passed   6
>         26203 19:33:10.322143  failed   1
>         26163 19:33:10.106087  tst_tmpdir.c:316: TINFO: Using /ltp-
> tmp/ltp-hYUZKTq9fM/LTP_opeJvSZuG as tmpdir (nfs filesystem)
>         26166 19:33:10.117795  tst_kconfig.c:88: TINFO: Parsing
> kernel config '/proc/config.gz'
>         26167 19:33:10.128809  tst_test.c:1722: TINFO: Overall
> timeout per run is 0h 01m 30s
>         26168 19:33:10.129102  tst_buffers.c:57: TINFO: Test is using
> guarded buffers
>         26169 19:33:10.140117  open_by_handle_at01.c:93: TFAIL:
> open_by_handle_at() failed (0): ESTALE (116)
>         26170 19:33:10.151537  open_by_handle_at01.c:93: TFAIL:
> open_by_handle_at() failed (1): ESTALE (116)
>         26177 19:33:10.197165  open_by_handle_at01.c:93: TFAIL:
> open_by_handle_at() failed (8): ESTALE (116)
>         26179 19:33:10.197714  Summary:
>         26180 19:33:10.197929  passed   0
>         26181 19:33:10.198134  failed   9
> 
> Bisect log:
> 
> git bisect start
> # status: waiting for both good and bad commits
> # bad: [97987520025658f30bb787a99ffbd9bbff9ffc9d] Add linux-next
> specific files for 20250721
> git bisect bad 97987520025658f30bb787a99ffbd9bbff9ffc9d
> # status: waiting for good commit(s), bad commit known
> # good: [922467c8223bfa20435da8c9b1c99285aac735ff] Merge branch 'for-
> linux-next-fixes' of
> https://gitlab.freedesktop.org/drm/misc/kernel.git
> git bisect good 922467c8223bfa20435da8c9b1c99285aac735ff
> # bad: [73d0e6df78d50bd07d097a76eddc99cd89864d09] Merge branch 'main'
> of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git
> git bisect bad 73d0e6df78d50bd07d097a76eddc99cd89864d09
> # bad: [4ff8b17af7757fd16152eb8262c599129c8f5498] Merge branch 'fs-
> next' of linux-next
> git bisect bad 4ff8b17af7757fd16152eb8262c599129c8f5498
> # good: [13c60604ff678ac477521d9846fc2f75f0972e4b] Merge branch 'for-
> next' of https://github.com/sophgo/linux.git
> git bisect good 13c60604ff678ac477521d9846fc2f75f0972e4b
> # bad: [dce9a77d74cf572c1348d9d47cd79e7b61580f56] Merge branch 'for-
> next' of
> git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/zonefs.git
> git bisect bad dce9a77d74cf572c1348d9d47cd79e7b61580f56
> # good: [11581c89066a19d050d12b002609ade30bb39ece] Merge branch 'for-
> next' of
> git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux.git
> git bisect good 11581c89066a19d050d12b002609ade30bb39ece
> # good: [1d4e5eefd114eeb35449a8bcbbaa968baaa591e3] Merge branch 'dev'
> of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git
> git bisect good 1d4e5eefd114eeb35449a8bcbbaa968baaa591e3
> # bad: [38a098af636b698e5e14978de4accdc8a5173e24] Merge branch
> 'linux-next' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6.git
> git bisect bad 38a098af636b698e5e14978de4accdc8a5173e24
> # good: [bce0d4cf481614eb1f0817a233d9479d609bd0a8] Merge branch
> 'ksmbd-for-next' of https://github.com/smfrench/smb3-kernel.git
> git bisect good bce0d4cf481614eb1f0817a233d9479d609bd0a8
> # good: [90c9550a8d65fb9b1bf87baf97a04ed91bf61b33] NFS: support the
> kernel keyring for TLS
> git bisect good 90c9550a8d65fb9b1bf87baf97a04ed91bf61b33
> # good: [d897d81671bc4615c80f4f3bd5e6b218f59df50c] pNFS: Handle RPC
> size limit for layoutcommits
> git bisect good d897d81671bc4615c80f4f3bd5e6b218f59df50c
> # bad: [e29be1f394a3dbadc4e5d198dfc822d49569bb52] nfs:check for user
> input filehandle size
> git bisect bad e29be1f394a3dbadc4e5d198dfc822d49569bb52
> # good: [7db6e66663681abda54f81d5916db3a3b8b1a13d] pNFS: Fix disk
> addr range check in block/scsi layout
> git bisect good 7db6e66663681abda54f81d5916db3a3b8b1a13d
> # first bad commit: [e29be1f394a3dbadc4e5d198dfc822d49569bb52]
> nfs:check for user input filehandle size

Thanks for the heads-up Mark! I'll back this patch out for now.

-- 
Trond Myklebust
Linux NFS client maintainer, Hammerspace
trondmy@kernel.org, trond.myklebust@hammerspace.com