[PATCH] nfsd: fix NULL pointer dereference in check_export()

[Jeff Layton]

Given the right export table, it's possible to trigger a NULL pointer
dereference when mountd sends a path that has no export operations.
Check that the export_ops are set and just return -EINVAL if not.

Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx>
---
Triggering this required a rather pathological export table (I just
exported "/"). Given that, I'm on the fence as to whether we want to
send this to stable.
---
 fs/nfsd/export.c | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c
index 2a1499f2ad196a6033787260881e451146283bdc..4187c109d84985d33a69e19291edbf2b27b257d8 100644
--- a/fs/nfsd/export.c
+++ b/fs/nfsd/export.c
@@ -405,6 +405,7 @@ static struct svc_export *svc_export_lookup(struct svc_export *);
 static int check_export(const struct path *path, int *flags, unsigned char *uuid)
 {
 	struct inode *inode = d_inode(path->dentry);
+	struct export_operations *export_op = inode->i_sb->s_export_op;
 
 	/*
 	 * We currently export only dirs, regular files, and (for v4
@@ -422,14 +423,20 @@ static int check_export(const struct path *path, int *flags, unsigned char *uuid
 	if (*flags & NFSEXP_V4ROOT)
 		*flags |= NFSEXP_READONLY;
 
-	/* There are two requirements on a filesystem to be exportable.
-	 * 1:  We must be able to identify the filesystem from a number.
+	/* There are four requirements on a filesystem to be exportable:
+	 * 1: It must define sb->s_export_op
+	 * 2: We must be able to identify the filesystem from a number.
 	 *       either a device number (so FS_REQUIRES_DEV needed)
 	 *       or an FSID number (so NFSEXP_FSID or ->uuid is needed).
-	 * 2:  We must be able to find an inode from a filehandle.
+	 * 3: We must be able to find an inode from a filehandle.
 	 *       This means that s_export_op must be set.
-	 * 3: We must not currently be on an idmapped mount.
+	 * 4: We must not currently be on an idmapped mount.
 	 */
+	if (!export_op) {
+		dprintk("%s: fs doesn't define export_operations!\n", __func__);
+		return -EINVAL;
+	}
+
 	if (!(inode->i_sb->s_type->fs_flags & FS_REQUIRES_DEV) &&
 	    !(*flags & NFSEXP_FSID) &&
 	    uuid == NULL) {
@@ -437,7 +444,7 @@ static int check_export(const struct path *path, int *flags, unsigned char *uuid
 		return -EINVAL;
 	}
 
-	if (!exportfs_can_decode_fh(inode->i_sb->s_export_op)) {
+	if (!exportfs_can_decode_fh(export_op)) {
 		dprintk("exp_export: export of invalid fs type.\n");
 		return -EINVAL;
 	}
@@ -447,7 +454,7 @@ static int check_export(const struct path *path, int *flags, unsigned char *uuid
 		return -EINVAL;
 	}
 
-	if (inode->i_sb->s_export_op->flags & EXPORT_OP_NOSUBTREECHK &&
+	if (export_op->flags & EXPORT_OP_NOSUBTREECHK &&
 	    !(*flags & NFSEXP_NOSUBTREECHECK)) {
 		dprintk("%s: %s does not support subtree checking!\n",
 			__func__, inode->i_sb->s_type->name);

---
base-commit: 983d014aafb14ee5e4915465bf8948e8f3a723b5
change-id: 20260116-nfsd-fixes-8c02927271e6

Best regards,
-- 
Jeff Layton <jlayton@xxxxxxxxxx>