Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 75e67eed authored by Trond Myklebust's avatar Trond Myklebust Committed by Greg Kroah-Hartman
Browse files

NFSv4.1: Fix uninitialised variable in devicenotify 



[ Upstream commit b05bf5c63b326ce1da84ef42498d8e0e292e694c ]

When decode_devicenotify_args() exits with no entries, we need to
ensure that the struct cb_devicenotifyargs is initialised to
{ 0, NULL } in order to avoid problems in
nfs4_callback_devicenotify().

Reported-by: default avatar <rtm@csail.mit.edu>
Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 6efe3961

fs/nfs/callback.h

+1 −1
Original line number Diff line number Diff line
@@ -168,7 +168,7 @@ struct cb_devicenotifyitem { 
};



struct cb_devicenotifyargs {

	int				 ndevs;

	uint32_t			 ndevs;

	struct cb_devicenotifyitem	 *devs;

};

fs/nfs/callback_proc.c

+1 −1
Original line number Diff line number Diff line
@@ -364,7 +364,7 @@ __be32 nfs4_callback_devicenotify(void *argp, void *resp, 
				  struct cb_process_state *cps)

{

	struct cb_devicenotifyargs *args = argp;

	int i;

	uint32_t i;

	__be32 res = 0;

	struct nfs_client *clp = cps->clp;

	struct nfs_server *server = NULL;

fs/nfs/callback_xdr.c

+9 −9
Original line number Diff line number Diff line
@@ -258,11 +258,9 @@ __be32 decode_devicenotify_args(struct svc_rqst *rqstp, 
				void *argp)

{

	struct cb_devicenotifyargs *args = argp;

	uint32_t tmp, n, i;

	__be32 *p;

	__be32 status = 0;

	u32 tmp;

	int n, i;

	args->ndevs = 0;



	/* Num of device notifications */

	p = xdr_inline_decode(xdr, sizeof(uint32_t));
@@ -271,7 +269,7 @@ __be32 decode_devicenotify_args(struct svc_rqst *rqstp, 
		goto out;

	}

	n = ntohl(*p++);

	if (n <= 0)

	if (n == 0)

		goto out;

	if (n > ULONG_MAX / sizeof(*args->devs)) {

		status = htonl(NFS4ERR_BADXDR);
@@ -330,19 +328,21 @@ __be32 decode_devicenotify_args(struct svc_rqst *rqstp, 
			dev->cbd_immediate = 0;

		}



		args->ndevs++;



		dprintk("%s: type %d layout 0x%x immediate %d\n",

			__func__, dev->cbd_notify_type, dev->cbd_layout_type,

			dev->cbd_immediate);

	}

	args->ndevs = n;

	dprintk("%s: ndevs %d\n", __func__, args->ndevs);

	return 0;

err:

	kfree(args->devs);

out:

	args->devs = NULL;

	args->ndevs = 0;

	dprintk("%s: status %d ndevs %d\n",

		__func__, ntohl(status), args->ndevs);

	return status;

err:

	kfree(args->devs);

	goto out;

}



static __be32 decode_sessionid(struct xdr_stream *xdr,