[PATCH 1/4] nfsd: check for FILEID_INVALID in setup_notify_fhandle

Next message: kernel test robot: "drivers/scsi/qedf/qedf_main.c:2218:18: sparse: sparse: incorrect type in assignment (different base types)"
Previous message: Jeff Layton: "[PATCH 4/4] nfsd: fix ino_t format specifier in nfsd_handle_dir_event tracepoint"
In reply to: Jeff Layton: "[PATCH 4/4] nfsd: fix ino_t format specifier in nfsd_handle_dir_event tracepoint"
Next in thread: Jeff Layton: "[PATCH 2/4] nfsd: use empty string for directory name in NOTIFY4_CHANGE_DIR_ATTRS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jeff Layton

Date: Sat May 23 2026 - 12:18:30 EST

exportfs_encode_inode_fh() can return FILEID_INVALID (255) when the
buffer is too small. Since this is a positive value, the existing
check (fileid_type < 0) won't catch it. If this happens, maxsize will
have been updated to the required (larger) size, and fhp->fh_size
could overflow the fh_raw buffer, leading to an out-of-bounds read
when the filehandle is later encoded onto the wire.

Add a check for FILEID_INVALID alongside the existing negative return
check.

Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx>
---
fs/nfsd/nfs4xdr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index 2143fb6d5e3f..2f8d26601581 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -4209,7 +4209,7 @@ setup_notify_fhandle(struct dentry *dentry, struct nfs4_file *fi,
}

fileid_type = exportfs_encode_inode_fh(inode, fid, &maxsize, parent, flags);
- if (fileid_type < 0)
+ if (fileid_type < 0 || fileid_type == FILEID_INVALID)
return false;

fhp->fh_fileid_type = fileid_type;

--
2.54.0