This is a note to let you know that I've just added the patch titled
ksmbd: reduce descriptor size if remaining bytes is less than request size
to the 5.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
ksmbd-reduce-descriptor-size-if-remaining-bytes-is-less-than-request-size.patch
and it can be found in the queue-5.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From stable+bounces-7751-greg=kroah.com@xxxxxxxxxxxxxxx Mon Dec 18 16:47:02 2023
From: Namjae Jeon <linkinjeon@xxxxxxxxxx>
Date: Tue, 19 Dec 2023 00:34:22 +0900
Subject: ksmbd: reduce descriptor size if remaining bytes is less than request size
To: gregkh@xxxxxxxxxxxxxxxxxxx, stable@xxxxxxxxxxxxxxx
Cc: smfrench@xxxxxxxxx, Namjae Jeon <linkinjeon@xxxxxxxxxx>, Steve French <stfrench@xxxxxxxxxxxxx>
Message-ID: <20231218153454.8090-123-linkinjeon@xxxxxxxxxx>
From: Namjae Jeon <linkinjeon@xxxxxxxxxx>
[ Upstream commit e628bf939aafb61fbc56e9bdac8795cea5127e25 ]
Create 3 kinds of files to reproduce this problem.
dd if=/dev/urandom of=127k.bin bs=1024 count=127
dd if=/dev/urandom of=128k.bin bs=1024 count=128
dd if=/dev/urandom of=129k.bin bs=1024 count=129
When copying files from ksmbd share to windows or cifs.ko, The following
error message happen from windows client.
"The file '129k.bin' is too large for the destination filesystem."
We can see the error logs from ksmbd debug prints
[48394.611537] ksmbd: RDMA r/w request 0x0: token 0x669d, length 0x20000
[48394.612054] ksmbd: smb_direct: RDMA write, len 0x20000, needed credits 0x1
[48394.612572] ksmbd: filename 129k.bin, offset 131072, len 131072
[48394.614189] ksmbd: nbytes 1024, offset 132096 mincount 0
[48394.614585] ksmbd: Failed to process 8 [-22]
And we can reproduce it with cifs.ko,
e.g. dd if=129k.bin of=/dev/null bs=128KB count=2
This problem is that ksmbd rdma return error if remaining bytes is less
than Length of Buffer Descriptor V1 Structure.
smb_direct_rdma_xmit()
..
if (desc_buf_len == 0 || total_length > buf_len ||
total_length > t->max_rdma_rw_size)
return -EINVAL;
This patch reduce descriptor size with remaining bytes and remove the
check for total_length and buf_len.
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Namjae Jeon <linkinjeon@xxxxxxxxxx>
Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/ksmbd/transport_rdma.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
--- a/fs/ksmbd/transport_rdma.c
+++ b/fs/ksmbd/transport_rdma.c
@@ -1364,24 +1364,35 @@ static int smb_direct_rdma_xmit(struct s
LIST_HEAD(msg_list);
char *desc_buf;
int credits_needed;
- unsigned int desc_buf_len;
- size_t total_length = 0;
+ unsigned int desc_buf_len, desc_num = 0;
if (t->status != SMB_DIRECT_CS_CONNECTED)
return -ENOTCONN;
+ if (buf_len > t->max_rdma_rw_size)
+ return -EINVAL;
+
/* calculate needed credits */
credits_needed = 0;
desc_buf = buf;
for (i = 0; i < desc_len / sizeof(*desc); i++) {
+ if (!buf_len)
+ break;
+
desc_buf_len = le32_to_cpu(desc[i].length);
+ if (!desc_buf_len)
+ return -EINVAL;
+
+ if (desc_buf_len > buf_len) {
+ desc_buf_len = buf_len;
+ desc[i].length = cpu_to_le32(desc_buf_len);
+ buf_len = 0;
+ }
credits_needed += calc_rw_credits(t, desc_buf, desc_buf_len);
desc_buf += desc_buf_len;
- total_length += desc_buf_len;
- if (desc_buf_len == 0 || total_length > buf_len ||
- total_length > t->max_rdma_rw_size)
- return -EINVAL;
+ buf_len -= desc_buf_len;
+ desc_num++;
}
ksmbd_debug(RDMA, "RDMA %s, len %#x, needed credits %#x\n",
@@ -1393,7 +1404,7 @@ static int smb_direct_rdma_xmit(struct s
/* build rdma_rw_ctx for each descriptor */
desc_buf = buf;
- for (i = 0; i < desc_len / sizeof(*desc); i++) {
+ for (i = 0; i < desc_num; i++) {
msg = kzalloc(offsetof(struct smb_direct_rdma_rw_msg, sg_list) +
sizeof(struct scatterlist) * SG_CHUNK_SIZE, GFP_KERNEL);
if (!msg) {
Patches currently in stable-queue which might be from kroah.com@xxxxxxxxxxxxxxx are
queue-5.15/ksmbd-remove-unused-parameter-from-smb2_get_name.patch
queue-5.15/ksmbd-smbd-handle-multiple-buffer-descriptors.patch
queue-5.15/ksmbd-add-mnt_want_write-to-ksmbd-vfs-functions.patch
queue-5.15/ksmbd-delete-an-invalid-argument-description-in-smb2_populate_readdir_entry.patch
queue-5.15/ksmbd-remove-smb2_buf_length-in-smb2_transform_hdr.patch
queue-5.15/ksmbd-fix-smb2_set_info_file-kernel-doc-comment.patch
queue-5.15/ksmbd-remove-unused-fields-from-ksmbd_file-struct-definition.patch
queue-5.15/ksmbd-set-445-port-to-smbdirect-port-by-default.patch
queue-5.15/ksmbd-use-ksmbd_req_buf_next-in-ksmbd_verify_smb_message.patch
queue-5.15/ksmbd-set-both-ipv4-and-ipv6-in-fsctl_query_network_interface_info.patch
queue-5.15/ksmbd-reduce-descriptor-size-if-remaining-bytes-is-less-than-request-size.patch
queue-5.15/ksmbd-fix-smb2_get_name-kernel-doc-comment.patch
queue-5.15/ksmbd-register-ksmbd-ib-client-with-ib_register_client.patch
queue-5.15/ksmbd-smbd-fix-missing-client-s-memory-region-invalidation.patch
queue-5.15/ksmbd-fix-parameter-name-and-comment-mismatch.patch
queue-5.15/ksmbd-smbd-call-rdma_accept-under-cm-handler.patch
queue-5.15/ksmdb-use-cmd-helper-variable-in-smb2_get_ksmbd_tcon.patch
queue-5.15/ksmbd-smbd-change-the-default-maximum-read-write-receive-size.patch
queue-5.15/ksmbd-smbd-remove-useless-license-text-when-spdx-license-identifier-is-already-used.patch
queue-5.15/ksmbd-check-the-validation-of-pdu_size-in-ksmbd_conn_handler_loop.patch
queue-5.15/ksmbd-fix-buffer_check_err-kernel-doc-comment.patch
queue-5.15/ksmbd-remove-redundant-flush_workqueue-calls.patch
queue-5.15/ksmbd-smbd-create-mr-pool.patch
queue-5.15/ksmbd-remove-smb2_buf_length-in-smb2_hdr.patch
queue-5.15/ksmbd-remove-md4-leftovers.patch
queue-5.15/ksmbd-add-smb-direct-shutdown.patch
