]> Git Repo - linux.git/blobdiff - fs/cifs/file.c
projects / linux.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
cifs: Fix potential OOB access of lock element array
[linux.git] / fs / cifs / file.c
diff --git a/fs/cifs/file.c b/fs/cifs/file.c
index 6706328ce03f89fc3eabc82f6b01779011c533c5..5b6f8392d9db415501ba4a3ec68480ffdc571acb 100644 (file)
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -33,6 +33,7 @@
 #include <linux/mount.h>
 #include <linux/slab.h>
 #include <linux/swap.h>
+#include <linux/mm.h>
 #include <asm/div64.h>
 #include "cifsfs.h"
 #include "cifspdu.h"
@@ -1131,14 +1132,18 @@ cifs_push_mandatory_locks(struct cifsFileInfo *cfile)
 
        /*
         * Accessing maxBuf is racy with cifs_reconnect - need to store value
-        * and check it for zero before using.
+        * and check it before using.
         */
        max_buf = tcon->ses->server->maxBuf;
-       if (!max_buf) {
+       if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE))) {
                free_xid(xid);
                return -EINVAL;
        }
 
+       BUILD_BUG_ON(sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE) >
+                    PAGE_SIZE);
+       max_buf = min_t(unsigned int, max_buf - sizeof(struct smb_hdr),
+                       PAGE_SIZE);
        max_num = (max_buf - sizeof(struct smb_hdr)) /
                                                sizeof(LOCKING_ANDX_RANGE);
        buf = kcalloc(max_num, sizeof(LOCKING_ANDX_RANGE), GFP_KERNEL);
@@ -1471,12 +1476,16 @@ cifs_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock,
 
        /*
         * Accessing maxBuf is racy with cifs_reconnect - need to store value
-        * and check it for zero before using.
+        * and check it before using.
         */
        max_buf = tcon->ses->server->maxBuf;
-       if (!max_buf)
+       if (max_buf < (sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE)))
                return -EINVAL;
 
+       BUILD_BUG_ON(sizeof(struct smb_hdr) + sizeof(LOCKING_ANDX_RANGE) >
+                    PAGE_SIZE);
+       max_buf = min_t(unsigned int, max_buf - sizeof(struct smb_hdr),
+                       PAGE_SIZE);
        max_num = (max_buf - sizeof(struct smb_hdr)) /
                                                sizeof(LOCKING_ANDX_RANGE);
        buf = kcalloc(max_num, sizeof(LOCKING_ANDX_RANGE), GFP_KERNEL);
@@ -2617,11 +2626,13 @@ cifs_write_from_iter(loff_t offset, size_t len, struct iov_iter *from,
                if (rc)
                        break;
 
+               cur_len = min_t(const size_t, len, wsize);
+
                if (ctx->direct_io) {
                        ssize_t result;
 
                        result = iov_iter_get_pages_alloc(
-                               from, &pagevec, wsize, &start);
+                               from, &pagevec, cur_len, &start);
                        if (result < 0) {
                                cifs_dbg(VFS,
                                        "direct_writev couldn't get user pages "
@@ -2630,6 +2641,9 @@ cifs_write_from_iter(loff_t offset, size_t len, struct iov_iter *from,
                                        result, from->type,
                                        from->iov_offset, from->count);
                                dump_stack();
+
+                               rc = result;
+                               add_credits_and_wake_if(server, credits, 0);
                                break;
                        }
                        cur_len = (size_t)result;
@@ -3313,13 +3327,16 @@ cifs_send_async_read(loff_t offset, size_t len, struct cifsFileInfo *open_file,
                                        cur_len, &start);
                        if (result < 0) {
                                cifs_dbg(VFS,
-                                       "couldn't get user pages (cur_len=%zd)"
+                                       "couldn't get user pages (rc=%zd)"
                                        " iter type %d"
                                        " iov_offset %zd count %zd\n",
                                        result, direct_iov.type,
                                        direct_iov.iov_offset,
                                        direct_iov.count);
                                dump_stack();
+
+                               rc = result;
+                               add_credits_and_wake_if(server, credits, 0);
                                break;
                        }
                        cur_len = (size_t)result;
@@ -3956,7 +3973,7 @@ readpages_get_pages(struct address_space *mapping, struct list_head *page_list,
 
        INIT_LIST_HEAD(tmplist);
 
-       page = list_entry(page_list->prev, struct page, lru);
+       page = lru_to_page(page_list);
 
        /*
         * Lock the page and put it in the cache. Since no one else
Empty description
This page took 0.034039 seconds and 4 git commands to generate.