Am 25.06.25 um 15:37 schrieb David Howells:
The handling of received data in the smbdirect client code involves using
copy_to_iter() to copy data from the smbd_reponse struct's packet trailer
to a folioq buffer provided by netfslib that encapsulates a chunk of
pagecache.
If, however, CONFIG_HARDENED_USERCOPY=y, this will result in the checks
then performed in copy_to_iter() oopsing with something like the following:
CIFS: Attempting to mount //172.31.9.1/test
CIFS: VFS: RDMA transport established
usercopy: Kernel memory exposure attempt detected from SLUB object 'smbd_response_0000000091e24ea1' (offset 81, size 63)!
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:102!
...
RIP: 0010:usercopy_abort+0x6c/0x80
...
Call Trace:
<TASK>
__check_heap_object+0xe3/0x120
__check_object_size+0x4dc/0x6d0
smbd_recv+0x77f/0xfe0 [cifs]
cifs_readv_from_socket+0x276/0x8f0 [cifs]
cifs_read_from_socket+0xcd/0x120 [cifs]
cifs_demultiplex_thread+0x7e9/0x2d50 [cifs]
kthread+0x396/0x830
ret_from_fork+0x2b8/0x3b0
ret_from_fork_asm+0x1a/0x30
The problem is that the smbd_response slab's packet field isn't marked as
being permitted for usercopy.
Fix this by passing parameters to kmem_slab_create() to indicate that
copy_to_iter() is permitted from the packet region of the smbd_response
slab objects.
Further, do the same thing for smbd_request slab objects and their packet
field.
Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading")
Reported-by: Stefan Metzmacher <metze@xxxxxxxxx>
Link: https://lore.kernel.org/r/acb7f612-df26-4e2a-a35d-7cd040f513e1@xxxxxxxxx/
Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
cc: Steve French <stfrench@xxxxxxxxxxxxx>
cc: Paulo Alcantara <pc@xxxxxxxxxxxxx>
cc: linux-cifs@xxxxxxxxxxxxxxx
cc: netfs@xxxxxxxxxxxxxxx
cc: linux-fsdevel@xxxxxxxxxxxxxxx
---
fs/smb/client/smbdirect.c | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
index ef6bf8d6808d..5915273636ad 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
@@ -1476,12 +1476,17 @@ static int allocate_caches_and_workqueue(struct smbd_connection *info)
int rc;
scnprintf(name, MAX_NAME_LEN, "smbd_request_%p", info);
+ struct kmem_cache_args request_args = {
+ .align = __alignof__(struct smbd_request),
+ .useroffset = offsetof(struct smbd_request, packet),
+ .usersize = sizeof(struct smbdirect_data_transfer),
This looks wrong, the smbdirect_data_transfer header itself
should be written by userspace.
So I guess we don't need this at all.
+ };
info->request_cache =
kmem_cache_create(
name,
sizeof(struct smbd_request) +
sizeof(struct smbdirect_data_transfer),
- 0, SLAB_HWCACHE_ALIGN, NULL);
+ &request_args, SLAB_HWCACHE_ALIGN);
if (!info->request_cache)
return -ENOMEM;
@@ -1492,12 +1497,16 @@ static int allocate_caches_and_workqueue(struct smbd_connection *info)
goto out1;
scnprintf(name, MAX_NAME_LEN, "smbd_response_%p", info);
+
+ struct kmem_cache_args response_args = {
+ .align = __alignof__(struct smbd_response),
+ .useroffset = offsetof(struct smbd_response, packet),
+ .usersize = sp->max_recv_size,
This should be have + sizeof(struct smbdirect_data_transfer) for useroffset
and - sizeof(struct smbdirect_data_transfer) for usersize
As the smbdirect_data_transfer header should not accessed by userspace.
My attempt looks like this:
- kmem_cache_create(
+ kmem_cache_create_usercopy(
name,
sizeof(struct smbd_response) +
sp->max_recv_size,
- 0, SLAB_HWCACHE_ALIGN, NULL);
+ __alignof__(struct smbd_response),
+ SLAB_HWCACHE_ALIGN,
+ /*
+ * only the payload should be exposed
+ */
+ offsetof(struct smbd_response, packet) +
+ sizeof(struct smbdirect_data_transfer),
+ sp->max_recv_size -
+ sizeof(struct smbdirect_data_transfer),
+ NULL);
But I noticed that kmem_cache_create_usercopy is a legacy wrapper.
