NFSv4: limit lease period in nfs4_set_lease_period()

Sergey Shtylyov · Anna Schumaker · commit e29a3e61eef6 · 2026-02-09T13:39:39.000-05:00
In nfs4_set_lease_period(), the passed 32-bit lease period in seconds is
multiplied by HZ -- that might overflow before being implicitly cast to
*unsigned long* (32/64-bit type), while initializing the lease variable.
Cap the lease period at MAX_LEASE_PERIOD (#define'd to 1 hour for now),
before multipying to avoid such overflow...

Found by Linux Verification Center (linuxtesting.org) with the Svace static
analysis tool.

Signed-off-by: Sergey Shtylyov &lt;s.shtylyov@omp.ru&gt;
Suggested-by: Trond Myklebust &lt;trondmy@kernel.org&gt;
Signed-off-by: Anna Schumaker &lt;anna.schumaker@oracle.com&gt;
diff --git a/fs/nfs/nfs4renewd.c b/fs/nfs/nfs4renewd.c
@@ -133,6 +133,8 @@ nfs4_kill_renewd(struct nfs_client *clp)
 	cancel_delayed_work_sync(&clp->cl_renewd);
 }
 
+#define MAX_LEASE_PERIOD (60 * 60)	/* 1 hour */
+
 /**
  * nfs4_set_lease_period - Sets the lease period on a nfs_client
  *
@@ -141,7 +143,13 @@ nfs4_kill_renewd(struct nfs_client *clp)
  */
 void nfs4_set_lease_period(struct nfs_client *clp, u32 period)
 {
-	unsigned long lease = period * HZ;
+	unsigned long lease;
+
+	/* Limit the lease period */
+	if (period < MAX_LEASE_PERIOD)
+		lease = period * HZ;
+	else
+		lease = MAX_LEASE_PERIOD * HZ;
 
 	spin_lock(&clp->cl_lock);
 	clp->cl_lease_time = lease;
