[PATCH 02/19] nfsd: clear opcnt on compound arg release to prevent OOB read

Next message: Jeff Layton: "[PATCH 03/19] nfsd: add missing read barrier to rpc_status_get dumpit seqcount retry"
Previous message: Alexey Klimov: "[PATCH v5 6/6] arm64: dts: exynos850: add PMU interrupt generation node"
In reply to: Jeff Layton: "[PATCH 00/19] nfsd: more bugfixes"
Next in thread: Jeff Layton: "[PATCH 03/19] nfsd: add missing read barrier to rpc_status_get dumpit seqcount retry"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jeff Layton

Date: Tue Jun 09 2026 - 13:51:37 EST

nfsd4_release_compoundargs() resets args->ops to the inline iops[8]
array when the dynamically-allocated ops buffer is freed, but leaves
args->opcnt at its original value (which can be up to 200 for NFSv4.1+
compounds).

If rq_status_counter is stuck at an odd value (which can happen when
nfsd_dispatch() hits an error path after setting it odd), the RPC
status dumpit handler reads min(opcnt, 16) entries from args->ops[].
Since iops only has 8 elements and is the last field in struct
nfsd4_compoundargs, reading indices 8-15 accesses adjacent slab memory
and leaks it to userspace via netlink.

Zero opcnt unconditionally in nfsd4_release_compoundargs() so stale
compound metadata is never exposed through the status interface.

Fixes: bd9d6a3efa97 ("NFSD: add rpc_status netlink support")
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx>
---
fs/nfsd/nfs4xdr.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index b9037d99b564..1e4a51926910 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -6440,6 +6440,7 @@ void nfsd4_release_compoundargs(struct svc_rqst *rqstp)
args->ops = args->iops;
kvfree_rcu_mightsleep(old_ops);
}
+ args->opcnt = 0;
while (args->to_free) {
struct svcxdr_tmpbuf *tb = args->to_free;
args->to_free = tb->next;

--
2.54.0