On Sun, Jan 28, 2024 at 09:07:58AM -0800, Harshit Mogalapalli wrote:
Bug: After mounting the cifs fs, it complains with Resource temporarily unavailable messages.
[root@vm1 xfstests-dev]# ./check -g quick -s smb3 TEST_DEV=//<SERVER_IP>/TEST is mounted but not a type cifs filesystem [root@vm1 xfstests-dev]# df df: /mnt/test: Resource temporarily unavailable
Paul's analysis of the bug:
Bug is related to an off-by-one in smb2_set_next_command() when the client attempts to pad SMB2_QUERY_INFO request -- since it isn't 8 byte aligned -- even though smb2_query_info_compound() doesn't provide an extra iov for such padding.
v5.15.y doesn't have
eb3e28c1e89b ("smb3: Replace smb2pdu 1-element arrays with flex-arrays")and the commit does
if (unlikely(check_add_overflow(input_len, sizeof(*req), &len) || len > CIFSMaxBufSize)) return -EINVAL;so sizeof(*req) will wrongly include the extra byte from smb2_query_info_req::Buffer making @len unaligned and therefore causing OOB in smb2_set_next_command().
Fixes: bfd18c0f570e4 ("smb: client: fix OOB in SMB2_query_info_init()") Suggested-by: Paulo Alcantara pc@manguebit.com Signed-off-by: Harshit Mogalapalli harshit.m.mogalapalli@oracle.com
This patch is only for 5.15.y stable kernel. I have tested the patched kernel: after mounting it doesn't become unavailable.
Now queued up, thanks.
greg k-h