Commit 5d8fbb5f authored Sep 24, 2024 by Stefan Metzmacher Committed by Long Li Sep 24, 2024

smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req()

stable inclusion
from stable-v6.6.48
commit a01859dd6aebf826576513850a3b05992809e9d2
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAR4DV
CVE: CVE-2024-46686

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=tags/v6.6.49&id=a01859dd6aebf826576513850a3b05992809e9d2



--------------------------------

commit c724b2ab6a46435b4e7d58ad2fbbdb7a318823cf upstream.

This happens when called from SMB2_read() while using rdma
and reaching the rdma_readwrite_threshold.

Cc: stable@vger.kernel.org
Fixes: a6559cc1 ("cifs: split out smb3_use_rdma_offload() helper")
Reviewed-by: David Howells <dhowells@redhat.com>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Long Li <leo.lilong@huawei.com>

parent d25e57f4

fs/smb/client/smb2pdu.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -4431,7 +4431,7 @@ smb2_new_read_req(void *buf, unsigned int total_len,
		* If we want to do a RDMA write, fill in and append
		* smbd_buffer_descriptor_v1 to the end of read request
		*/
		if (smb3_use_rdma_offload(io_parms)) {
		if (rdata && smb3_use_rdma_offload(io_parms)) {
		struct smbd_buffer_descriptor_v1 *v1;
		bool need_invalidate = server->dialect == SMB30_PROT_ID;