[PATCH] net: sunrpc: fix slab-out-of-bounds read in cache_seq_start_rcu

Next message: Icenowy Zheng: "Re: [PATCH v2 00/41] drm/display: bridge-connector: attach encoder to the connector"
Previous message: Dmitry Ilvokhin: "Re: [PATCH 1/8] mm: use zone lock guard in reserve_highatomic_pageblock()"
Next in thread: Chuck Lever: "Re: [PATCH] net: sunrpc: fix slab-out-of-bounds read in cache_seq_start_rcu"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alessandro Zanni

Date: Tue Apr 28 2026 - 10:13:35 EST

Syzbot reported slab-out-of-bounds read in cache_seq_start_rcu().

The issue happens in function __cache_seq_start() when is invoked
hlist_for_each_entry_rcu() and the hash value is greater than the
hash_size.

This fix verifies that the hash index is within the hash_size value
before dereferencing the hash table: if the hash index is out of
bounds return NULL, otherwise access the value.

Fixes: ae74136b4bb6 ("SUNRPC: Allow cache lookups to use RCU protection rather than the r/w spinlock")
Reported-by: syzbot+60cfa08822470bbebe44@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=60cfa08822470bbebe44
Signed-off-by: Alessandro Zanni <alessandro.zanni87@xxxxxxxxx>
---
net/sunrpc/cache.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
index 7081c1214e6c..aac5f03112f5 100644
--- a/net/sunrpc/cache.c
+++ b/net/sunrpc/cache.c
@@ -1348,6 +1348,9 @@ static void *__cache_seq_start(struct seq_file *m, loff_t *pos)
hash = n >> 32;
entry = n & ((1LL<<32) - 1);

+ if (hash >= cd->hash_size)
+ return NULL;
+
hlist_for_each_entry_rcu(ch, &cd->hash_table[hash], cache_list)
if (!entry--)
return ch;
--
2.47.3