From: Youling Tang <youling.tang@linux.dev>
To: smfrench@gmail.com, linkinjeon@kernel.org, pc@manguebit.org,
ronniesahlberg@gmail.com, sprasad@microsoft.com, tom@talpey.com,
bharathsm@microsoft.com, senozhatsky@chromium.org,
dhowells@redhat.com, chenxiaosong@chenxiaosong.com,
gregkh@linuxfoundation.org
Cc: linux-cifs@vger.kernel.org, youling.tang@linux.dev,
Youling Tang <tangyouling@kylinos.cn>,
ChenXiaoSong <chenxiaosong@kylinos.cn>
Subject: [PATCH] smb/client: fix unaligned reads in wsl_to_fattr()
Date: Thu, 23 Apr 2026 13:59:15 +0800 [thread overview]
Message-ID: <20260423055915.695024-1-youling.tang@linux.dev> (raw)
From: Youling Tang <tangyouling@kylinos.cn>
See MS-FSCC 2.4.16. When multiple FILE_FULL_EA_INFORMATION data elements
are present in the buffer, each MUST be aligned on a 4-byte boundary.
When parsing WSL extended attributes, the code derives the value pointer
at an offset of 7 (SMB2_WSL_XATTR_NAME_LEN + 1) from ea_data, the value
sits at an unaligned offset.
We should use get_unaligned_le32() or get_unaligned_le64() to get
unaligned values.
Link: https://lore.kernel.org/linux-cifs/77013349-ff89-4593-985d-520d967d2638@chenxiaosong.com/
Signed-off-by: Youling Tang <tangyouling@kylinos.cn>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
---
fs/smb/client/reparse.c | 6 +++---
fs/smb/client/reparse.h | 6 +++---
fs/smb/client/smb2pdu.h | 1 +
3 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c
index cd1e1eaee67a..eebce954c5ce 100644
--- a/fs/smb/client/reparse.c
+++ b/fs/smb/client/reparse.c
@@ -1160,7 +1160,7 @@ static bool wsl_to_fattr(struct cifs_open_info_data *data,
name = ea->ea_data;
nlen = ea->ea_name_length;
- v = (void *)((u8 *)ea->ea_data + ea->ea_name_length + 1);
+ v = (void *)((u8 *)name + nlen + 1);
if (!strncmp(name, SMB2_WSL_XATTR_UID, nlen))
fattr->cf_uid = wsl_make_kuid(cifs_sb, v);
@@ -1168,9 +1168,9 @@ static bool wsl_to_fattr(struct cifs_open_info_data *data,
fattr->cf_gid = wsl_make_kgid(cifs_sb, v);
else if (!strncmp(name, SMB2_WSL_XATTR_MODE, nlen)) {
/* File type in reparse point tag and in xattr mode must match. */
- if (S_DT(fattr->cf_mode) != S_DT(le32_to_cpu(*(__le32 *)v)))
+ if (S_DT(fattr->cf_mode) != S_DT(get_unaligned_le32(v)))
return false;
- fattr->cf_mode = (umode_t)le32_to_cpu(*(__le32 *)v);
+ fattr->cf_mode = (umode_t)get_unaligned_le32(v);
} else if (!strncmp(name, SMB2_WSL_XATTR_DEV, nlen)) {
fattr->cf_rdev = reparse_mkdev(v);
have_xattr_dev = true;
diff --git a/fs/smb/client/reparse.h b/fs/smb/client/reparse.h
index 0164dc47bdfd..653213a6b7e8 100644
--- a/fs/smb/client/reparse.h
+++ b/fs/smb/client/reparse.h
@@ -23,7 +23,7 @@
static inline dev_t reparse_mkdev(void *ptr)
{
- u64 v = le64_to_cpu(*(__le64 *)ptr);
+ u64 v = get_unaligned_le64(ptr);
return MKDEV(v & 0xffffffff, v >> 32);
}
@@ -31,7 +31,7 @@ static inline dev_t reparse_mkdev(void *ptr)
static inline kuid_t wsl_make_kuid(struct cifs_sb_info *cifs_sb,
void *ptr)
{
- u32 uid = le32_to_cpu(*(__le32 *)ptr);
+ u32 uid = get_unaligned_le32(ptr);
if (cifs_sb_flags(cifs_sb) & CIFS_MOUNT_OVERR_UID)
return cifs_sb->ctx->linux_uid;
@@ -41,7 +41,7 @@ static inline kuid_t wsl_make_kuid(struct cifs_sb_info *cifs_sb,
static inline kgid_t wsl_make_kgid(struct cifs_sb_info *cifs_sb,
void *ptr)
{
- u32 gid = le32_to_cpu(*(__le32 *)ptr);
+ u32 gid = get_unaligned_le32(ptr);
if (cifs_sb_flags(cifs_sb) & CIFS_MOUNT_OVERR_GID)
return cifs_sb->ctx->linux_gid;
diff --git a/fs/smb/client/smb2pdu.h b/fs/smb/client/smb2pdu.h
index 30d70097fe2f..6744606dab6c 100644
--- a/fs/smb/client/smb2pdu.h
+++ b/fs/smb/client/smb2pdu.h
@@ -211,6 +211,7 @@ struct compress_ioctl {
* BB consider moving to a different header
*/
+/* See MS-FSCC 2.4.16 */
struct smb2_file_full_ea_info { /* encoding of response for level 15 */
__le32 next_entry_offset;
__u8 flags;
--
2.53.0
next reply other threads:[~2026-04-23 6:00 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-23 5:59 Youling Tang [this message]
2026-04-24 21:41 ` [PATCH] smb/client: fix unaligned reads in wsl_to_fattr() Steve French
2026-04-25 23:01 ` ChenXiaoSong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260423055915.695024-1-youling.tang@linux.dev \
--to=youling.tang@linux.dev \
--cc=bharathsm@microsoft.com \
--cc=chenxiaosong@chenxiaosong.com \
--cc=chenxiaosong@kylinos.cn \
--cc=dhowells@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=linkinjeon@kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=pc@manguebit.org \
--cc=ronniesahlberg@gmail.com \
--cc=senozhatsky@chromium.org \
--cc=smfrench@gmail.com \
--cc=sprasad@microsoft.com \
--cc=tangyouling@kylinos.cn \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox