From 1b0559ebe7b1f237c82d349ebf6ad19ad2a51eba Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 23 Sep 2024 16:54:48 +0800 Subject: [PATCH] smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req() stable inclusion from stable-v6.6.48 commit a01859dd6aebf826576513850a3b05992809e9d2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAR4DV CVE: CVE-2024-46688 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=tags/v6.6.49&id=a01859dd6aebf826576513850a3b05992809e9d2 -------------------------------- commit c724b2ab6a46435b4e7d58ad2fbbdb7a318823cf upstream. This happens when called from SMB2_read() while using rdma and reaching the rdma_readwrite_threshold. Cc: stable@vger.kernel.org Fixes: a6559cc1d35d ("cifs: split out smb3_use_rdma_offload() helper") Reviewed-by: David Howells Signed-off-by: Stefan Metzmacher Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman Signed-off-by: Long Li --- fs/smb/client/smb2pdu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c index 61df8a5c6824..bf45b8652e58 100644 --- a/fs/smb/client/smb2pdu.c +++ b/fs/smb/client/smb2pdu.c @@ -4431,7 +4431,7 @@ smb2_new_read_req(void **buf, unsigned int *total_len, * If we want to do a RDMA write, fill in and append * smbd_buffer_descriptor_v1 to the end of read request */ - if (smb3_use_rdma_offload(io_parms)) { + if (rdata && smb3_use_rdma_offload(io_parms)) { struct smbd_buffer_descriptor_v1 *v1; bool need_invalidate = server->dialect == SMB30_PROT_ID; -- Gitee