Re: [REGRESSION 6.1.70] system calls with CIFS mounts failing with "Resource temporarily unavailable"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jan 08, 2024 at 11:52:45AM -0300, Paulo Alcantara wrote:
> Hi Jan,
> 
> Thanks for the report.
> 
> So this bug is related to an off-by-one in smb2_set_next_command() when
> the client attempts to pad SMB2_QUERY_INFO request -- since it isn't 8 byte
> aligned -- even though smb2_query_info_compound() doesn't provide an extra
> iov for such padding.
> 
> v6.1.y doesn't have
> 
>         eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays")
> 
> and the commit does
> 
> 	+	if (unlikely(check_add_overflow(input_len, sizeof(*req), &len) ||
> 	+		     len > CIFSMaxBufSize))
> 	+		return -EINVAL;
> 	+
> 
> so sizeof(*req) will wrongly include the extra byte from
> smb2_query_info_req::Buffer making @len unaligned and therefore causing
> OOB in smb2_set_next_command().
> 
> A simple fix for that would be
> 
> 	diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
> 	index 05ff8a457a3d..aed5067661de 100644
> 	--- a/fs/smb/client/smb2pdu.c
> 	+++ b/fs/smb/client/smb2pdu.c
> 	@@ -3556,7 +3556,7 @@ SMB2_query_info_init(struct cifs_tcon *tcon, struct TCP_Server_Info *server,
> 	 
> 	 	iov[0].iov_base = (char *)req;
> 	 	/* 1 for Buffer */
> 	-	iov[0].iov_len = len;
> 	+	iov[0].iov_len = len - 1;
> 	 	return 0;
> 	 }
> 

Why can't we just include eb3e28c1e89b ("smb3: Replace smb2pdu 1-element
arrays with flex-arrays") to resolve this?

I've queued it up now.

thanks,

greg k-h




[Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux