From: Paulo Alcantara <pc@manguebit.com>
To: David Howells <dhowells@redhat.com>,
Damian Tometzki <damian@riscv-rocks.de>
Cc: dhowells@redhat.com, Eric Biggers <ebiggers@kernel.org>,
Steve French <smfrench@gmail.com>, John Sanpe <sanpeqf@gmail.com>,
CIFS <linux-cifs@vger.kernel.org>,
Namjae Jeon <linkinjeon@kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] cifs: Fix encryption of cleared, but unset rq_iter data buffers
Date: Mon, 06 Nov 2023 12:41:01 -0300 [thread overview]
Message-ID: <919fa20e0951f962944b1f5c337a5911.pc@manguebit.com> (raw)
In-Reply-To: <2610852.1699281611@warthog.procyon.org.uk>
David Howells <dhowells@redhat.com> writes:
> cifs: Fix encryption of cleared, but unset rq_iter data buffers
>
> Each smb_rqst struct contains two things: an array of kvecs (rq_iov) that
> contains the protocol data for an RPC op and an iterator (rq_iter) that
> contains the data payload of an RPC op. When an smb_rqst is allocated
> rq_iter is it always cleared, but we don't set it up unless we're going to
> use it.
>
> The functions that determines the size of the ciphertext buffer that will
> be needed to encrypt a request, cifs_get_num_sgs(), assumes that rq_iter is
> always initialised - and employs user_backed_iter() to check that the
> iterator isn't user-backed. This used to incidentally work, because
> ->user_backed was set to false because the iterator has never been
> initialised, but with commit f1b4cb650b9a0eeba206d8f069fcdc532bfbcd74[1]
> which changes user_backed_iter() to determine this based on the iterator
> type insted, a warning is now emitted:
>
> WARNING: CPU: 7 PID: 4584 at fs/smb/client/cifsglob.h:2165 smb2_get_aead_req+0x3fc/0x420 [cifs]
> ...
> RIP: 0010:smb2_get_aead_req+0x3fc/0x420 [cifs]
> ...
> crypt_message+0x33e/0x550 [cifs]
> smb3_init_transform_rq+0x27d/0x3f0 [cifs]
> smb_send_rqst+0xc7/0x160 [cifs]
> compound_send_recv+0x3ca/0x9f0 [cifs]
> cifs_send_recv+0x25/0x30 [cifs]
> SMB2_tcon+0x38a/0x820 [cifs]
> cifs_get_smb_ses+0x69c/0xee0 [cifs]
> cifs_mount_get_session+0x76/0x1d0 [cifs]
> dfs_mount_share+0x74/0x9d0 [cifs]
> cifs_mount+0x6e/0x2e0 [cifs]
> cifs_smb3_do_mount+0x143/0x300 [cifs]
> smb3_get_tree+0x15e/0x290 [cifs]
> vfs_get_tree+0x2d/0xe0
> do_new_mount+0x124/0x340
> __se_sys_mount+0x143/0x1a0
>
> The problem is that rq_iter was never set, so the type is 0 (ie. ITER_UBUF)
> which causes user_backed_iter() to return true. The code doesn't
> malfunction because it checks the size of the iterator - which is 0.
>
> Fix cifs_get_num_sgs() to ignore rq_iter if its count is 0, thereby
> bypassing the warnings.
>
> It might be better to explicitly initialise rq_iter to a zero-length
> ITER_BVEC, say, as it can always be reinitialised later.
Agreed. We could probably set those in ->init_transform_rq().
> Fixes: d08089f649a0 ("cifs: Change the I/O paths to use an iterator rather than a page list")
> Reported-by: Damian Tometzki <damian@riscv-rocks.de>
> Link: https://lore.kernel.org/r/ZUfQo47uo0p2ZsYg@fedora.fritz.box/
> Signed-off-by: David Howells <dhowells@redhat.com>
> cc: Steve French <smfrench@gmail.com>
> cc: Shyam Prasad N <sprasad@microsoft.com>
> cc: Rohith Surabattula <rohiths.msft@gmail.com>
> cc: Paulo Alcantara <pc@manguebit.com>
> cc: Namjae Jeon <linkinjeon@kernel.org>
> cc: Tom Talpey <tom@talpey.com>
> cc: Jeff Layton <jlayton@kernel.org>
> cc: Eric Biggers <ebiggers@kernel.org>
> cc: linux-cifs@vger.kernel.org
> cc: linux-fsdevel@vger.kernel.org
> Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f1b4cb650b9a0eeba206d8f069fcdc532bfbcd74 [1]
> ---
> fs/smb/client/cifsglob.h | 12 +++++++++---
> 1 file changed, 9 insertions(+), 3 deletions(-)
FWIW, the patch fixes mounts of shares with encryption enabled.
Reviewed-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
next prev parent reply other threads:[~2023-11-06 15:41 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-22 18:39 [PATCH] fs/smb: using crypto lib instead cifs_arc4 John Sanpe
2023-10-22 19:38 ` Steve French
2023-10-22 19:40 ` Steve French
2023-10-22 19:42 ` ronnie sahlberg
2023-11-05 19:33 ` Eric Biggers
2023-11-05 17:28 ` smb cifs: Linux 6.7 pre rc-1 kernel dump in smb2_get_aead_req Damian Tometzki
[not found] ` <CAH2r5msde65PMtn-96VZDAQkT_rq+e-2G4O+zbPUR8zSWGxMsg@mail.gmail.com>
2023-11-05 19:36 ` Eric Biggers
2023-11-05 19:40 ` Damian Tometzki
2023-11-05 20:15 ` Eric Biggers
2023-11-06 7:36 ` Damian Tometzki
2023-11-06 10:01 ` David Howells
2023-11-06 14:40 ` [PATCH] cifs: Fix encryption of cleared, but unset rq_iter data buffers David Howells
2023-11-06 15:41 ` Paulo Alcantara [this message]
2023-11-07 5:18 ` Damian Tometzki
2023-11-07 18:51 ` Steve French
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=919fa20e0951f962944b1f5c337a5911.pc@manguebit.com \
--to=pc@manguebit.com \
--cc=damian@riscv-rocks.de \
--cc=dhowells@redhat.com \
--cc=ebiggers@kernel.org \
--cc=linkinjeon@kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sanpeqf@gmail.com \
--cc=smfrench@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox