Re: [REGRESSION 6.1.70] system calls with CIFS mounts failing with "Resource temporarily unavailable"

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Paulo Alcantara <pc@manguebit.com>
Cc: "Jan Čermák" <sairon@sairon.cz>,
	"Leonardo Brondani Schenkel" <leonardo@schenkel.net>,
	stable@vger.kernel.org, regressions@lists.linux.dev,
	linux-cifs@vger.kernel.org,
	"Mathias Weißbach" <m.weissbach@info-gate.de>
Subject: Re: [REGRESSION 6.1.70] system calls with CIFS mounts failing with "Resource temporarily unavailable"
Date: Mon, 8 Jan 2024 16:11:09 +0100	[thread overview]
Message-ID: <2024010846-hefty-program-09c0@gregkh> (raw)
In-Reply-To: <446860c571d0699ed664175262a9e84b@manguebit.com>

On Mon, Jan 08, 2024 at 11:52:45AM -0300, Paulo Alcantara wrote:
> Hi Jan,
> 
> Thanks for the report.
> 
> So this bug is related to an off-by-one in smb2_set_next_command() when
> the client attempts to pad SMB2_QUERY_INFO request -- since it isn't 8 byte
> aligned -- even though smb2_query_info_compound() doesn't provide an extra
> iov for such padding.
> 
> v6.1.y doesn't have
> 
>         eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays")
> 
> and the commit does
> 
> 	+	if (unlikely(check_add_overflow(input_len, sizeof(*req), &len) ||
> 	+		     len > CIFSMaxBufSize))
> 	+		return -EINVAL;
> 	+
> 
> so sizeof(*req) will wrongly include the extra byte from
> smb2_query_info_req::Buffer making @len unaligned and therefore causing
> OOB in smb2_set_next_command().
> 
> A simple fix for that would be
> 
> 	diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
> 	index 05ff8a457a3d..aed5067661de 100644
> 	--- a/fs/smb/client/smb2pdu.c
> 	+++ b/fs/smb/client/smb2pdu.c
> 	@@ -3556,7 +3556,7 @@ SMB2_query_info_init(struct cifs_tcon *tcon, struct TCP_Server_Info *server,
> 	 
> 	 	iov[0].iov_base = (char *)req;
> 	 	/* 1 for Buffer */
> 	-	iov[0].iov_len = len;
> 	+	iov[0].iov_len = len - 1;
> 	 	return 0;
> 	 }
> 

Why can't we just include eb3e28c1e89b ("smb3: Replace smb2pdu 1-element
arrays with flex-arrays") to resolve this?

I've queued it up now.

thanks,

greg k-h

next prev parent reply	other threads:[~2024-01-08 15:17 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-08 10:44 [REGRESSION 6.1.70] system calls with CIFS mounts failing with "Resource temporarily unavailable" Leonardo Brondani Schenkel
2024-01-08 11:18 ` Jan Čermák
2024-01-08 14:13   ` Greg KH
2024-01-08 14:30     ` Jan Čermák
2024-01-08 14:34     ` Leonardo Brondani Schenkel
2024-01-08 14:52   ` Paulo Alcantara
2024-01-08 15:11     ` Greg Kroah-Hartman [this message]
2024-01-08 15:58       ` Paulo Alcantara
2024-01-30 22:43         ` Salvatore Bonaccorso
2024-01-30 22:49           ` Salvatore Bonaccorso
2024-02-20 20:27             ` Greg Kroah-Hartman
2024-02-20 21:25               ` Salvatore Bonaccorso
2024-02-21 11:09                 ` Greg Kroah-Hartman
2024-02-22 23:00                   ` Paulo Alcantara
2024-02-23  5:50                     ` Salvatore Bonaccorso
  -- strict thread matches above, loose matches on Subject: below --
2024-01-15 14:22 Mohamed Abuelfotoh, Hazem
2024-01-15 14:28 ` Mohamed Abuelfotoh, Hazem
2024-01-15 15:16   ` gregkh
2024-01-15 15:30     ` Mohamed Abuelfotoh, Hazem
2024-01-31  6:30       ` Salvatore Bonaccorso
2024-01-31 17:19         ` Paulo Alcantara
2024-02-01 12:58           ` Mohamed Abuelfotoh, Hazem
2024-02-03 15:39             ` Salvatore Bonaccorso
2024-02-06  7:46               ` Harshit Mogalapalli
2024-02-06 16:33                 ` kovalev
2024-02-20 20:28                 ` gregkh
2024-02-21  2:26                   ` Harshit Mogalapalli
2024-02-21 11:09                     ` gregkh
2024-01-16 10:23 ` Harshit Mogalapalli
2024-01-26 19:13 ` SeongJae Park
2024-02-23  6:14   ` Linux regression tracking #update (Thorsten Leemhuis)
2024-02-26 14:28     ` Mohamed Abuelfotoh, Hazem
2024-02-26 14:54       ` Linux regression tracking (Thorsten Leemhuis)
2024-02-26 14:55       ` gregkh
2024-02-26 22:54         ` Mohamed Abuelfotoh, Hazem

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2024010846-hefty-program-09c0@gregkh \
    --to=gregkh@linuxfoundation.org \
    --cc=leonardo@schenkel.net \
    --cc=linux-cifs@vger.kernel.org \
    --cc=m.weissbach@info-gate.de \
    --cc=pc@manguebit.com \
    --cc=regressions@lists.linux.dev \
    --cc=sairon@sairon.cz \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.