[PATCH] pnfs/flexfiles: reject zero version_count in GETDEVICEINFO
From: Junrui Luo
Date: Mon Apr 20 2026 - 09:03:12 EST
nfs4_ff_alloc_deviceid_node() parses the flexfiles device address from
a GETDEVICEINFO response and passes version_count to kzalloc_objs()
without validating it is non-zero. A zero count makes kzalloc_objs()
return ZERO_SIZE_PTR, which passes the NULL check.
This leads to a NULL pointer dereference when
nfs4_ff_layout_ds_version() later accesses ds_versions[0] through the
ZERO_SIZE_PTR.
Fix by rejecting version_count == 0 before the allocation.
Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver")
Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
---
fs/nfs/flexfilelayout/flexfilelayoutdev.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/nfs/flexfilelayout/flexfilelayoutdev.c b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
index c40395ae0814..d5aa6bf3ecbc 100644
--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
@@ -99,6 +99,11 @@ nfs4_ff_alloc_deviceid_node(struct nfs_server *server, struct pnfs_device *pdev,
version_count = be32_to_cpup(p);
dprintk("%s: version count %d\n", __func__, version_count);
+ if (version_count == 0) {
+ ret = -EINVAL;
+ goto out_err_drain_dsaddrs;
+ }
+
ds_versions = kzalloc_objs(struct nfs4_ff_ds_version, version_count,
gfp_flags);
if (!ds_versions)
---
base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260420-fixes-9f910b7b5cde
Best regards,
--
Junrui Luo <moonafterrain@xxxxxxxxxxx>