From: Trond Myklebust Date: Tue, 25 Aug 2015 15:16:13 +0000 (-0400) Subject: NFSv4.1/pnfs: Add sanity check for the layout range returned by the server X-Git-Tag: firefly_0821_release~176^2~1127^2~31 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=540d9864e1c5f8d3ca2ecc919e7d8a47e713ec3f;p=firefly-linux-kernel-4.4.55.git NFSv4.1/pnfs: Add sanity check for the layout range returned by the server Signed-off-by: Trond Myklebust --- diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c index 3530bb703214..68cc4b169769 100644 --- a/fs/nfs/pnfs.c +++ b/fs/nfs/pnfs.c @@ -1561,6 +1561,26 @@ out_unlock: } EXPORT_SYMBOL_GPL(pnfs_update_layout); +static bool +pnfs_sanity_check_layout_range(struct pnfs_layout_range *range) +{ + switch (range->iomode) { + case IOMODE_READ: + case IOMODE_RW: + break; + default: + return false; + } + if (range->offset == NFS4_MAX_UINT64) + return false; + if (range->length == 0) + return false; + if (range->length != NFS4_MAX_UINT64 && + range->length > NFS4_MAX_UINT64 - range->offset) + return false; + return true; +} + struct pnfs_layout_segment * pnfs_layout_process(struct nfs4_layoutget *lgp) { @@ -1569,7 +1589,10 @@ pnfs_layout_process(struct nfs4_layoutget *lgp) struct pnfs_layout_segment *lseg; struct inode *ino = lo->plh_inode; LIST_HEAD(free_me); - int status = 0; + int status = -EINVAL; + + if (!pnfs_sanity_check_layout_range(&res->range)) + goto out; /* Inject layout blob into I/O device driver */ lseg = NFS_SERVER(ino)->pnfs_curr_ld->alloc_lseg(lo, res, lgp->gfp_flags);