[PATCH] smb: client: fix zero length for mkdir POSIX create context
Steve French
smfrench at gmail.com
Tue Apr 29 16:20:14 UTC 2025
Good catch. I did verify that this fixes posix mkdir to ksmbd. It
didn't fail to Samba with posix extensions because Samba didn't check
for the incorrect length field. The fix also avoids another problem,
an rmmod crash. See below.
I added Cc: stable, and added the patch to cifs-2.6.git for-next
[ 1249.919717] RIP: 0010:__slab_err+0x1d/0x30
[ 1249.919719] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44
00 00 55 48 89 e5 e8 72 ff ff ff be 01 00 00 00 bf 05 00 00 00 e8 33
b2 1c 00 <0f> 0b 5d 31 f6 31 ff c3 cc cc cc cc 0f 1f 80 00 00 00 00 90
90 90
[ 1249.919721] RSP: 0018:ffffcf3041b0bab8 EFLAGS: 00010046
[ 1249.919723] RAX: 0000000000000000 RBX: ffffcf3041b0bb00 RCX: 0000000000000000
[ 1249.919724] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 1249.919725] RBP: ffffcf3041b0bab8 R08: 0000000000000000 R09: 0000000000000000
[ 1249.919727] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8c1b664fed00
[ 1249.919728] R13: ffff8c1b9cda6600 R14: dead000000000122 R15: ffff8c1b9cda6600
[ 1249.919729] FS: 00007d4b43e26080(0000) GS:ffff8c2312c9b000(0000)
knlGS:0000000000000000
[ 1249.919730] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1249.919732] CR2: 0000634aa6374a88 CR3: 00000002b21fe006 CR4: 00000000003726f0
[ 1249.919733] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1249.919734] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 1249.919735] Call Trace:
[ 1249.919737] <TASK>
[ 1249.919739] free_partial.cold+0x137/0x191
[ 1249.919743] __kmem_cache_shutdown+0x46/0xa0
[ 1249.919746] kmem_cache_destroy+0x3e/0x1c0
[ 1249.919750] cifs_destroy_request_bufs+0x39/0x50 [cifs]
[ 1249.919814] exit_cifs+0x3a/0xcc0 [cifs]
[ 1249.919873] __do_sys_delete_module.isra.0+0x19d/0x2e0
[ 1249.919877] __x64_sys_delete_module+0x12/0x20
On Tue, Apr 29, 2025 at 8:17 AM Jethro Donaldson <devel at jro.nz> wrote:
>
> smb: client: fix zero length for mkdir POSIX create context
>
> SMB create requests issued via smb311_posix_mkdir() have an incorrect
> length of zero bytes for the POSIX create context data. A ksmbd server
> rejects such requests and logs "cli req too short" causing mkdir to fail
> with "invalid argument" on the client side.
>
> Inspection of packets sent by cifs.ko using wireshark show valid data for
> the SMB2_POSIX_CREATE_CONTEXT is appended with the correct offset, but
> with an incorrect length of zero bytes. Fails with ksmbd+cifs.ko only as
> Windows server/client does not use POSIX extensions.
>
> Fix smb311_posix_mkdir() to set req->CreateContextsLength as part of
> appending the POSIX creation context to the request.
>
> Signed-off-by: Jethro Donaldson <devel at jro.nz>
> ---
>
> Tested as far as mkdir now works as expected.
>
> Patch is against stable tree at v6.14.4 tag (first patch - unsure if I've
> correctly done the base-commit thing, sorry).
>
> diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
> index 163b8fea47e8..e7118501fdcc 100644
> --- a/fs/smb/client/smb2pdu.c
> +++ b/fs/smb/client/smb2pdu.c
> @@ -2920,6 +2920,7 @@ int smb311_posix_mkdir(const unsigned int xid, struct inode *inode,
> req->CreateContextsOffset = cpu_to_le32(
> sizeof(struct smb2_create_req) +
> iov[1].iov_len);
> + le32_add_cpu(&req->CreateContextsLength, iov[n_iov-1].iov_len);
> pc_buf = iov[n_iov-1].iov_base;
> }
>
>
> base-commit: ea061bad207e1ba693b5488ba64c663f7ca03f50
> --
> 2.49.0
>
--
Thanks,
Steve
More information about the samba-technical
mailing list