diff --git a/buildroot-external/patches/linux/6.1.71/0001-Revert-smb-client-fix-OOB-in-SMB2_query_info_init.patch b/buildroot-external/patches/linux/6.1.71/0001-Revert-smb-client-fix-OOB-in-SMB2_query_info_init.patch new file mode 100644 index 000000000..d317af153 --- /dev/null +++ b/buildroot-external/patches/linux/6.1.71/0001-Revert-smb-client-fix-OOB-in-SMB2_query_info_init.patch @@ -0,0 +1,113 @@ +From 0ef7210b8779b04a380775764ad1a6b8dbfc40ee Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cerm=C3=A1k?= +Date: Mon, 8 Jan 2024 12:27:41 +0100 +Subject: [PATCH] Revert "smb: client: fix OOB in SMB2_query_info_init()" + +This reverts commit bef4315f19ba6f434054f58b958c0cf058c7a43f. + +This commit introduced regression causing stat operations on CIFS shares +to fail [1]. Issue was reported in mailing lists [2], reverting the patch +before it is resolved in linux-stable 6.1.y. + +[1] https://github.com/home-assistant/operating-system/issues/3041 +[2] https://lore.kernel.org/stable/8ad7c20e-0645-40f3-96e6-75257b4bd31a@schenkel.net/ +--- + fs/smb/client/smb2pdu.c | 29 +++++++---------------------- + 1 file changed, 7 insertions(+), 22 deletions(-) + +diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c +index 05ff8a457a3d..847d69d327c2 100644 +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -372,15 +372,10 @@ static int __smb2_plain_req_init(__le16 smb2_command, struct cifs_tcon *tcon, + void **request_buf, unsigned int *total_len) + { + /* BB eventually switch this to SMB2 specific small buf size */ +- switch (smb2_command) { +- case SMB2_SET_INFO: +- case SMB2_QUERY_INFO: ++ if (smb2_command == SMB2_SET_INFO) + *request_buf = cifs_buf_get(); +- break; +- default: ++ else + *request_buf = cifs_small_buf_get(); +- break; +- } + if (*request_buf == NULL) { + /* BB should we add a retry in here if not a writepage? */ + return -ENOMEM; +@@ -3528,13 +3523,8 @@ SMB2_query_info_init(struct cifs_tcon *tcon, struct TCP_Server_Info *server, + struct smb2_query_info_req *req; + struct kvec *iov = rqst->rq_iov; + unsigned int total_len; +- size_t len; + int rc; + +- if (unlikely(check_add_overflow(input_len, sizeof(*req), &len) || +- len > CIFSMaxBufSize)) +- return -EINVAL; +- + rc = smb2_plain_req_init(SMB2_QUERY_INFO, tcon, server, + (void **) &req, &total_len); + if (rc) +@@ -3556,7 +3546,7 @@ SMB2_query_info_init(struct cifs_tcon *tcon, struct TCP_Server_Info *server, + + iov[0].iov_base = (char *)req; + /* 1 for Buffer */ +- iov[0].iov_len = len; ++ iov[0].iov_len = total_len - 1 + input_len; + return 0; + } + +@@ -3564,7 +3554,7 @@ void + SMB2_query_info_free(struct smb_rqst *rqst) + { + if (rqst && rqst->rq_iov) +- cifs_buf_release(rqst->rq_iov[0].iov_base); /* request */ ++ cifs_small_buf_release(rqst->rq_iov[0].iov_base); /* request */ + } + + static int +@@ -5449,11 +5439,6 @@ build_qfs_info_req(struct kvec *iov, struct cifs_tcon *tcon, + return 0; + } + +-static inline void free_qfs_info_req(struct kvec *iov) +-{ +- cifs_buf_release(iov->iov_base); +-} +- + int + SMB311_posix_qfs_info(const unsigned int xid, struct cifs_tcon *tcon, + u64 persistent_fid, u64 volatile_fid, struct kstatfs *fsdata) +@@ -5485,7 +5470,7 @@ SMB311_posix_qfs_info(const unsigned int xid, struct cifs_tcon *tcon, + + rc = cifs_send_recv(xid, ses, server, + &rqst, &resp_buftype, flags, &rsp_iov); +- free_qfs_info_req(&iov); ++ cifs_small_buf_release(iov.iov_base); + if (rc) { + cifs_stats_fail_inc(tcon, SMB2_QUERY_INFO_HE); + goto posix_qfsinf_exit; +@@ -5536,7 +5521,7 @@ SMB2_QFS_info(const unsigned int xid, struct cifs_tcon *tcon, + + rc = cifs_send_recv(xid, ses, server, + &rqst, &resp_buftype, flags, &rsp_iov); +- free_qfs_info_req(&iov); ++ cifs_small_buf_release(iov.iov_base); + if (rc) { + cifs_stats_fail_inc(tcon, SMB2_QUERY_INFO_HE); + goto qfsinf_exit; +@@ -5603,7 +5588,7 @@ SMB2_QFS_attr(const unsigned int xid, struct cifs_tcon *tcon, + + rc = cifs_send_recv(xid, ses, server, + &rqst, &resp_buftype, flags, &rsp_iov); +- free_qfs_info_req(&iov); ++ cifs_small_buf_release(iov.iov_base); + if (rc) { + cifs_stats_fail_inc(tcon, SMB2_QUERY_INFO_HE); + goto qfsattr_exit; +-- +2.34.1 +