From: Stefan Metzmacher <metze@samba.org> stable inclusion from stable-v6.6.48 commit a01859dd6aebf826576513850a3b05992809e9d2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAR4DV CVE: CVE-2024-46686 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=t... -------------------------------- commit c724b2ab6a46435b4e7d58ad2fbbdb7a318823cf upstream. This happens when called from SMB2_read() while using rdma and reaching the rdma_readwrite_threshold. Cc: stable@vger.kernel.org Fixes: a6559cc1d35d ("cifs: split out smb3_use_rdma_offload() helper") Reviewed-by: David Howells <dhowells@redhat.com> Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Long Li <leo.lilong@huawei.com> --- fs/smb/client/smb2pdu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c index 61df8a5c6824..bf45b8652e58 100644 --- a/fs/smb/client/smb2pdu.c +++ b/fs/smb/client/smb2pdu.c @@ -4431,7 +4431,7 @@ smb2_new_read_req(void **buf, unsigned int *total_len, * If we want to do a RDMA write, fill in and append * smbd_buffer_descriptor_v1 to the end of read request */ - if (smb3_use_rdma_offload(io_parms)) { + if (rdata && smb3_use_rdma_offload(io_parms)) { struct smbd_buffer_descriptor_v1 *v1; bool need_invalidate = server->dialect == SMB30_PROT_ID; -- 2.39.2