diff options
| author | Sergey Shtylyov <s.shtylyov@omp.ru> | 2025-12-08 23:15:04 +0300 |
|---|---|---|
| committer | Anna Schumaker <anna.schumaker@oracle.com> | 2026-02-09 13:39:39 -0500 |
| commit | e29a3e61eef6b6c2e60bc1872e9da3bcdbc46c17 (patch) | |
| tree | 323d10e636c44340411a80ebfdeacb55af291c2b | |
| parent | 3d57c44e918012db1f901d50bc9195a8812ad602 (diff) | |
NFSv4: limit lease period in nfs4_set_lease_period()
In nfs4_set_lease_period(), the passed 32-bit lease period in seconds is
multiplied by HZ -- that might overflow before being implicitly cast to
*unsigned long* (32/64-bit type), while initializing the lease variable.
Cap the lease period at MAX_LEASE_PERIOD (#define'd to 1 hour for now),
before multipying to avoid such overflow...
Found by Linux Verification Center (linuxtesting.org) with the Svace static
analysis tool.
Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Suggested-by: Trond Myklebust <trondmy@kernel.org>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
| -rw-r--r-- | fs/nfs/nfs4renewd.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/fs/nfs/nfs4renewd.c b/fs/nfs/nfs4renewd.c index 043b2de8d416..30065df1482e 100644 --- a/fs/nfs/nfs4renewd.c +++ b/fs/nfs/nfs4renewd.c @@ -133,6 +133,8 @@ nfs4_kill_renewd(struct nfs_client *clp) cancel_delayed_work_sync(&clp->cl_renewd); } +#define MAX_LEASE_PERIOD (60 * 60) /* 1 hour */ + /** * nfs4_set_lease_period - Sets the lease period on a nfs_client * @@ -141,7 +143,13 @@ nfs4_kill_renewd(struct nfs_client *clp) */ void nfs4_set_lease_period(struct nfs_client *clp, u32 period) { - unsigned long lease = period * HZ; + unsigned long lease; + + /* Limit the lease period */ + if (period < MAX_LEASE_PERIOD) + lease = period * HZ; + else + lease = MAX_LEASE_PERIOD * HZ; spin_lock(&clp->cl_lock); clp->cl_lease_time = lease; |