Re: [PATCH 2/2] NFSv4/flexfile,filelayout: bound multipath DS count in GETDEVICEINFO

[Anna Schumaker]

Hi Michael,

On Fri, May 22, 2026, at 9:40 PM, Michael Bommarito wrote:
> Both the flexfile and the (legacy) file pNFS layout drivers decode a
> multipath-DS count from a server-supplied GETDEVICEINFO body and then
> iterate it via nfs4_decode_mp_ds_addr() without any upper bound. The
> filelayout driver already caps the outer ds_num against
> NFS4_PNFS_MAX_MULTI_CNT (== 256) but applies no equivalent cap to the
> inner mp_count; the flexfile driver applies no cap on either.
>
> In addition, both inner loops ignore a NULL return from
> nfs4_decode_mp_ds_addr(), so once the on-wire data no longer matches
> a valid netaddr4 encoding the loop is free to consume the trailing
> bytes of the device_addr opaque as garbage netid + uaddr pairs. A
> malicious or compromised pNFS metadata server can therefore drive
> the inner loop indefinitely (up to 2^32 - 1 iterations) against a
> fixed-size 56-byte body, with each iteration triggering an
> allocation / kmemdup_nul cycle inside the decoder.
>
> Promote NFS4_PNFS_MAX_MULTI_CNT from the filelayout private header to
> include/linux/nfs4.h so both drivers (and any future pNFS layout
> driver that decodes a multipath address list) bound the wire-level
> field consistently. Apply the cap to the inner mp_count in both
> drivers, matching the existing ds_num check, and bail on the first
> NULL return so a server that lies about mp_count cannot quietly
> extend the loop into the trailing layout-body bytes. This is
> defense-in-depth on top of the companion patch which closes the
> NULL-deref in nfs4_decode_mp_ds_addr(); either patch alone closes
> the kernel-panic shape, both together close the latent
> unbounded-decode class.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 35124a0994fc ("Cleanup XDR parsing for LAYOUTGET, GETDEVICEINFO")
> Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver")
> Assisted-by: Claude:claude-opus-4-7
> Signed-off-by: Michael Bommarito <michael.bommarito@xxxxxxxxx>
> ---
>  fs/nfs/filelayout/filelayout.h            |  2 +-
>  fs/nfs/filelayout/filelayoutdev.c         |  7 +++++--
>  fs/nfs/flexfilelayout/flexfilelayoutdev.c | 10 ++++++++--
>  include/linux/nfs4.h                      |  3 +++
>  4 files changed, 17 insertions(+), 5 deletions(-)
>
> With this patch alone the crafted GETDEVICEINFO at multipath_count >= 3
> is rejected at the bound check; malformed netaddr in the inner loop
> bails on the first NULL return.  Either this patch or the companion
> 1/2 closes the panic; both together close the unbounded-decode class.
>
> Baseline multipath_count = 1 mount + read completes normally.
>
>
> diff --git a/fs/nfs/filelayout/filelayout.h b/fs/nfs/filelayout/filelayout.h
> index c7bb5da93307d..03298f2e7cd69 100644
> --- a/fs/nfs/filelayout/filelayout.h
> +++ b/fs/nfs/filelayout/filelayout.h
> @@ -39,7 +39,7 @@
>   * RFC 5661 multipath_list4 structures.
>   */
>  #define NFS4_PNFS_MAX_STRIPE_CNT 4096
> -#define NFS4_PNFS_MAX_MULTI_CNT  256 /* 256 fit into a u8 stripe_index */
> +/* NFS4_PNFS_MAX_MULTI_CNT now in <linux/nfs4.h>; shared with flexfile. */

I don't think we need the comment saying that the value has moved.

> 
>  enum stripetype4 {
>  	STRIPE_SPARSE = 1,
> diff --git a/fs/nfs/filelayout/filelayoutdev.c 
> b/fs/nfs/filelayout/filelayoutdev.c
> index 7226989ee4d53..c58c786dcf011 100644
> --- a/fs/nfs/filelayout/filelayoutdev.c
> +++ b/fs/nfs/filelayout/filelayoutdev.c
> @@ -159,10 +159,13 @@ nfs4_fl_alloc_deviceid_node(struct nfs_server 
> *server, struct pnfs_device *pdev,
>  			goto out_err_free_deviceid;
> 
>  		mp_count = be32_to_cpup(p); /* multipath count */
> +		if (mp_count > NFS4_PNFS_MAX_MULTI_CNT)
> +			goto out_err_free_deviceid;
>  		for (j = 0; j < mp_count; j++) {
>  			da = nfs4_decode_mp_ds_addr(net, &stream, gfp_flags);
> -			if (da)
> -				list_add_tail(&da->da_node, &dsaddrs);
> +			if (!da)
> +				break;
> +			list_add_tail(&da->da_node, &dsaddrs);
>  		}
>  		if (list_empty(&dsaddrs)) {
>  			dprintk("%s: no suitable DS addresses found\n",
> diff --git a/fs/nfs/flexfilelayout/flexfilelayoutdev.c 
> b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
> index c40395ae08142..faed05cbe9f1c 100644
> --- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c
> +++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
> @@ -78,12 +78,18 @@ nfs4_ff_alloc_deviceid_node(struct nfs_server 
> *server, struct pnfs_device *pdev,
>  		goto out_err_drain_dsaddrs;
>  	mp_count = be32_to_cpup(p);
>  	dprintk("%s: multipath ds count %d\n", __func__, mp_count);
> +	if (mp_count > NFS4_PNFS_MAX_MULTI_CNT) {
> +		dprintk("%s: multipath count %u greater than supported maximum %d\n",
> +			__func__, mp_count, NFS4_PNFS_MAX_MULTI_CNT);
> +		goto out_err_drain_dsaddrs;
> +	}
> 
>  	for (i = 0; i < mp_count; i++) {
>  		/* multipath ds */
>  		da = nfs4_decode_mp_ds_addr(net, &stream, gfp_flags);
> -		if (da)
> -			list_add_tail(&da->da_node, &dsaddrs);
> +		if (!da)
> +			break;
> +		list_add_tail(&da->da_node, &dsaddrs);
>  	}
>  	if (list_empty(&dsaddrs)) {
>  		dprintk("%s: no suitable DS addresses found\n",
> diff --git a/include/linux/nfs4.h b/include/linux/nfs4.h
> index d87be1f25273a..bfc30baa8159a 100644
> --- a/include/linux/nfs4.h
> +++ b/include/linux/nfs4.h
> @@ -767,6 +767,9 @@ enum pnfs_block_extent_state {
>  	PNFS_BLOCK_NONE_DATA		= 3,
>  };
> 
> +/* Maximum NFSv4.1 pNFS multipath data-server address count */
> +#define NFS4_PNFS_MAX_MULTI_CNT		256

In the original location, this had a comment saying where the 256 came
from. Can you carry that over to here too, please?

Thanks,
Anna

> +
>  /* on the wire size of a block layout extent */
>  #define PNFS_BLOCK_EXTENT_SIZE \
>  	(7 * sizeof(__be32) + NFS4_DEVICEID4_SIZE)
> -- 
> 2.53.0