cifsd: null pointer on openwrt at ksmbd_vfs_kern_path causes kernel oops about ksmbd HOT 14 OPEN

Yes, 100%. The client is KDE Dolphin, version 17.12.3. Not only does it occur 100% of the time, but the client apparently will send the offending packet repeatedly while it is still open. Issue occurs when listing shares from the server. To reproduce, I open up the client, select "Samba Shares" and then type the server address in the top location field.

On the first attempt, it listed the available shares before crashing, on other attempts, it crashes before the list is generated.

Attached, please find the applicable pcap from tcpdump. I filtered on traffic from ports 128, 139, and 445. Please let me know if I missed anything in the capture.

Github won't let me attach the pcap directly, I had to gzip it. Please let me know if you have any issues with the attachment.
cifsd.pcap.gz

from ksmbd.

@Bernie Can you reproduce this issue with 100% frequency ? If yes, can you share tcpdump after reproduction ?

from ksmbd.

Cool, Thanks for your help. maybe, there is race condition issue between kill server and client connection. I wll take a look.

from ksmbd.

One more request, can you share tcpdump when client connect with samba ? I think that this client doesn't send tree connect request about share.

from ksmbd.

Hmm, something odd. I don't see empty rpc methods in the capture dump, yet here we go

<3>[  314.919136] ksmbd: __rpc_method:85: Unsupported RPC:
<3>[  314.924479] ksmbd: create_smb2_pipe:1762: Unable to open RPC pipe: -22

Update.

No, there are empty payloads. Packets ## 51, 52, 53, 54

Filename:
   Blob Length: 0

@namjaejeon I guess we should fail such requests (with zero filename blob lenght)

E.g.

diff --git a/fs/cifsd/unicode.c b/fs/cifsd/unicode.c
index 1dc7bd141794..526f741bec4d 100644
--- a/fs/cifsd/unicode.c
+++ b/fs/cifsd/unicode.c
@@ -279,6 +279,9 @@ smb_strndup_from_utf16(const char *src, const int maxlen,
        int len, ret;
        char *dst;
 
+       if (!maxlen)
+               return ERR_PTR(-EINVAL);
+
        if (is_unicode) {
                len = smb_utf16_bytes((__le16 *) src, maxlen, codepage);
                len += nls_nullsize(codepage);

from ksmbd.

@sergey-senozhatsky Ah, The empty file name means root, i.e. share path. So it is no problem. The problem seems to be share->path is NULL in smb2_get_info_filesystem(). When analyzing packets, This client only sends tree_connect for IPC and does not send tree connect requests for share. And the tree id of the request for get info filesystem is IPC. I wonder if smb2_get_info_filesystem_pipe should be implemented like smb2_get_info_file_pipe().
And this request is FS_SIZE_INFORMATION, which mean we need to set filesystem statfs informations. but this is IPC share, not share in local filesystem. So I want to know how samba fill response about this request(smb2 get info filesystem - FS_SIZE_INFORMATION).

from ksmbd.

At the same time we certainly don't expect empty rpc method

from ksmbd.

@sergey-senozhatsky Let me check.

@Bernie Is it possible that you provide tcpdump with samba to me ?

from ksmbd.

Unfortunately, I never had samba running on this router and was hoping to avoid doing so.

I'll see if I can get it running on a different machine if it'll help.

from ksmbd.

Unfortunately, I never had samba running on this router and was hoping to avoid doing so.

If you have the space (~9 MB) all you need is install the samba4-server + luci package, the luci/UCI interface is nearly identically to ksmbd. Also both can be installed at the same time, just make sure only one is actually running.

from ksmbd.

@Andy2244 Thanks for your info.

@Bernie I will try to install Dolphin file manager on my ubuntu PC. If I can not reproduce it, I will request it to you again.

from ksmbd.

@Bernie I installed dolphin in my ubuntu, but It seems to not support SMB connection. I am grateful if you provide a tcpdump after setting up samba on your target as Andy guided.

from ksmbd.

@Bernie What is your linux distribution installed dolphin by default ? CentOS ? or Mint ? maybe, I should install your environment to reproduce this issue.

from ksmbd.

@Bernie: Any news?
Have you looked all previous comments?

from ksmbd.