Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1018897yba; Wed, 15 May 2019 14:12:48 -0700 (PDT) X-Google-Smtp-Source: APXvYqx72f3HIvuiz5aeCo0Ge/fen9V5mmA+pMxX0uZu5VtpGUSkEChMeByAEsU0HXmhiB73hpin X-Received: by 2002:aa7:8b12:: with SMTP id f18mr49164283pfd.178.1557954767995; Wed, 15 May 2019 14:12:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557954767; cv=none; d=google.com; s=arc-20160816; b=ITeBMjiznELaYWnA8m7VoU+yTlmM0gKQxv5i4WLxn3BIwNdz1xTRWms/hBJpmwFg38 QfyOrQJy4491WteO5ZqEyoBCtVoEEhV/F93lkQsJoknTeEd4vghMFV6lEuBfp0r2YrwD hBjoIjbiY8ncp4vauOAi8IUQ46xqbuNxNPp8/Yp9HUvMiwh8wicutYy9WCri+8veqGYt JRFaD0Kf9NhDIKoDlHUJWeUXa8dxO+tjZbZvR1lcFPk1f9rNV7w6SCU9Td8NJQ38WJzY jmtu5Q13mOJKejkEMYPYC0CFJuL9ynS+Cs2qULGx5sEIqBCIIvasIgnfPDhR+/eJBn8o CevA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:reply-to:references:in-reply-to :message-id:date:subject:cc:to:from; bh=xzzoquw/I4nunNBTzyAcNiMWJtaLo1oLbqtjxcT7Y58=; b=SghPrFuvcwuE97AjOzIKIE5bu9r8UXfpH3XAFFiXaMMSaqj3c0dylUAeK4i649VNRC /x7PJPLA+MLyydE0aYQbjG5er8/v5TW3jJW9qZjBIGcgybBe/ZIxQm6zi04/2O+aoeZv wphWPsnc1Z4T4QtjFlGDQXJJBJJr4eaGIxIjjb8A/DD3SXyQl4tY4eIOVS5+AJn1nh7R 9sEIBn+Gnb+0IA5Ahbr0S/txqBIxx74gMJoCN37uck1qQduhQ6QKdGvwk7K96wYSvNdl RvUkdq+Av3n8bRsfist3qpo+URbDwYQ2fci7iWCcdQh9wJ7A/cqjC0PR7QiaeFPUSBlR Kkuw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o11si2564918plk.413.2019.05.15.14.12.32; Wed, 15 May 2019 14:12:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727177AbfEOVJb (ORCPT + 99 others); Wed, 15 May 2019 17:09:31 -0400 Received: from linux.microsoft.com ([13.77.154.182]:58182 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726566AbfEOVJb (ORCPT ); Wed, 15 May 2019 17:09:31 -0400 Received: by linux.microsoft.com (Postfix, from userid 1004) id D0F4320110AD; Wed, 15 May 2019 14:09:30 -0700 (PDT) From: longli@linuxonhyperv.com To: Steve French , linux-cifs@vger.kernel.org, samba-technical@lists.samba.org, linux-kernel@vger.kernel.org Cc: Long Li Subject: [PATCH 2/2] cifs: Allocate memory for all iovs in smb2_ioctl Date: Wed, 15 May 2019 14:09:05 -0700 Message-Id: <1557954545-17831-2-git-send-email-longli@linuxonhyperv.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1557954545-17831-1-git-send-email-longli@linuxonhyperv.com> References: <1557954545-17831-1-git-send-email-longli@linuxonhyperv.com> Reply-To: longli@microsoft.com Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Long Li An IOCTL uses up to 2 iovs. The 1st iov is the command itself, the 2nd iov is optional data for that command. The 1st iov is always allocated on the heap but the 2nd iov may point to a variable on the stack. This will trigger an error when passing the 2nd iov for RDMA I/O. Fix this by allocating a buffer for the 2nd iov. Signed-off-by: Long Li --- fs/cifs/smb2pdu.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 29f011d8d8e2..710ceb875161 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -2538,11 +2538,25 @@ SMB2_ioctl_init(struct cifs_tcon *tcon, struct smb_rqst *rqst, struct kvec *iov = rqst->rq_iov; unsigned int total_len; int rc; + char *in_data_buf; rc = smb2_plain_req_init(SMB2_IOCTL, tcon, (void **) &req, &total_len); if (rc) return rc; + if (indatalen) { + /* + * indatalen is usually small at a couple of bytes max, so + * just allocate through generic pool + */ + in_data_buf = kmalloc(indatalen, GFP_NOFS); + if (!in_data_buf) { + cifs_small_buf_release(req); + return -ENOMEM; + } + memcpy(in_data_buf, in_data, indatalen); + } + req->CtlCode = cpu_to_le32(opcode); req->PersistentFileId = persistent_fid; req->VolatileFileId = volatile_fid; @@ -2563,7 +2577,7 @@ SMB2_ioctl_init(struct cifs_tcon *tcon, struct smb_rqst *rqst, cpu_to_le32(offsetof(struct smb2_ioctl_req, Buffer)); rqst->rq_nvec = 2; iov[0].iov_len = total_len - 1; - iov[1].iov_base = in_data; + iov[1].iov_base = in_data_buf; iov[1].iov_len = indatalen; } else { rqst->rq_nvec = 1; @@ -2605,8 +2619,11 @@ SMB2_ioctl_init(struct cifs_tcon *tcon, struct smb_rqst *rqst, void SMB2_ioctl_free(struct smb_rqst *rqst) { - if (rqst && rqst->rq_iov) + if (rqst && rqst->rq_iov) { cifs_small_buf_release(rqst->rq_iov[0].iov_base); /* request */ + if (rqst->rq_iov[1].iov_len) + kfree(rqst->rq_iov[1].iov_base); + } } -- 2.17.1