Paulo, Added your reviewed by to David's patches but wanted to doublecheck that I didn't apply it to too many of them since I couldn't find one of your notes
Does this look ok for your RB on all 14 of these - or just the SMB1 one one?
a6fd899da60f (HEAD -> for-next, origin/for-next, origin/HEAD) cifs: Remove dead function prototypes 1b7270c879f5 smb: server: defer the initial recv completion logic to smb_direct_negotiate_recv_work() 9d095775a0cb smb: server: initialize recv_io->cqe.done = recv_done just once 667246dbce2d smb: smbdirect: introduce smbdirect_socket.connect.{lock,work} 2b4e375e4006 cifs: Do some preparation prior to organising the function declarations c3bdaf3afd87 cifs: Add a tracepoint to log EIO errors cb416ff96b83 cifs: Don't need state locking in smb2_get_mid_entry() a64fa1835237 cifs: Remove the server pointer from smb_message 960cd2e1e28a cifs: Fix specification of function pointers 2fdd780130d1 cifs: Replace SendReceiveBlockingLock() with SendReceive() plus flags bb8172e800b3 cifs: Clean up some places where an extra kvec[] was required for rfc1002 41daa3d4a238 cifs: Make smb1's SendReceive() wrap cifs_send_recv() 3ed72b50d276 cifs: Remove the RFC1002 header from smb_hdr 271b1138e8b4 cifs: Fix handling of a beyond-EOF DIO/unbuffered read over SMB1
On Wed, Dec 3, 2025 at 12:03 PM Paulo Alcantara pc@manguebit.org wrote:
David Howells dhowells@redhat.com writes:
If a DIO read or an unbuffered read request extends beyond the EOF, the server will return a short read and a status code indicating that EOF was hit, which gets translated to -ENODATA. Note that the client does not cap the request at i_size, but asks for the amount requested in case there's a race on the server with a third party.
Now, on the client side, the request will get split into multiple subrequests if rsize is smaller than the full request size. A subrequest that starts before or at the EOF and returns short data up to the EOF will be correctly handled, with the NETFS_SREQ_HIT_EOF flag being set, indicating to netfslib that we can't read more.
If a subrequest, however, starts after the EOF and not at it, HIT_EOF will not be flagged, its error will be set to -ENODATA and it will be abandoned. This will cause the request as a whole to fail with -ENODATA.
Fix this by setting NETFS_SREQ_HIT_EOF on any subrequest that lies beyond the EOF marker.
This can be reproduced by mounting with "cache=none,sign,vers=1.0" and doing a read of a file that's significantly bigger than the size of the file (e.g. attempting to read 64KiB from a 16KiB file).
Fixes: a68c74865f51 ("cifs: Fix SMB1 readv/writev callback in the same way as SMB2/3") Signed-off-by: David Howells dhowells@redhat.com cc: Steve French sfrench@samba.org cc: Paulo Alcantara pc@manguebit.org cc: Shyam Prasad N sprasad@microsoft.com cc: linux-cifs@vger.kernel.org cc: netfs@lists.linux.dev cc: linux-fsdevel@vger.kernel.org
Reviewed-by: Paulo Alcantara (Red Hat) pc@manguebit.org
Dave, looks like we're missing a similar fix for smb2_readv_callback() as well.
Can you handle it?
Thanks.
-- Thanks,
Steve