nfsd: check get_user() return when reading princhashlen

In __cld_pipe_inprogress_downcall(), the get_user() that reads
princhashlen from the userspace cld_msg_v2 buffer does not check its
return value. A failing copy leaves princhashlen with uninitialised
stack contents, which are then used to drive memdup_user() and stored
as princhash.len on the resulting reclaim record. The other get_user()
calls in this function all check the return; only this one is missed,
which is most likely a copy-paste oversight from when v2 upcalls were
introduced.

Mirror the existing pattern used a few lines above for namelen.
namecopy is declared with __free(kfree) so the early return cleans up
the already-allocated buffer automatically.

Fixes: 6ee95d1c8991 ("nfsd: add support for upcall version 2")
Cc: stable@vger.kernel.org
Signed-off-by: Dominik Woźniak <stalion@gmail.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
index b338473d6e52d13effc38ae70396e768f8bacd1e..6ea25a52d2f4e4ef5531e4c676b3d17bec7285b7 100644 (file)
--- a/fs/nfsd/nfs4recover.c
+++ b/fs/nfsd/nfs4recover.c
@@ -718,7 +718,8 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
                                return PTR_ERR(namecopy);
                        name.data = namecopy;
                        name.len = namelen;
-                       get_user(princhashlen, &ci->cc_princhash.cp_len);
+                       if (get_user(princhashlen, &ci->cc_princhash.cp_len))
+                               return -EFAULT;
                        if (princhashlen > 0) {
                                princhashcopy = memdup_user(
                                        &ci->cc_princhash.cp_data,