From: Stefan Metzmacher metze@samba.org

stable inclusion from stable-v6.6.48 commit a01859dd6aebf826576513850a3b05992809e9d2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAR4DV CVE: CVE-2024-46688

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=t...

--------------------------------

commit c724b2ab6a46435b4e7d58ad2fbbdb7a318823cf upstream.

This happens when called from SMB2_read() while using rdma and reaching the rdma_readwrite_threshold.

Cc: stable@vger.kernel.org Fixes: a6559cc1d35d ("cifs: split out smb3_use_rdma_offload() helper") Reviewed-by: David Howells dhowells@redhat.com Signed-off-by: Stefan Metzmacher metze@samba.org Signed-off-by: Steve French stfrench@microsoft.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Long Li leo.lilong@huawei.com --- fs/smb/client/smb2pdu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c index 61df8a5c6824..bf45b8652e58 100644 --- a/fs/smb/client/smb2pdu.c +++ b/fs/smb/client/smb2pdu.c @@ -4431,7 +4431,7 @@ smb2_new_read_req(void **buf, unsigned int *total_len, * If we want to do a RDMA write, fill in and append * smbd_buffer_descriptor_v1 to the end of read request */ - if (smb3_use_rdma_offload(io_parms)) { + if (rdata && smb3_use_rdma_offload(io_parms)) { struct smbd_buffer_descriptor_v1 *v1; bool need_invalidate = server->dialect == SMB30_PROT_ID;