Re: [PATCH 4.14 12/53] cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting

Re: [PATCH 4.14 12/53] cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting

[Philip Müller]

Hi Greg, hi Stefano,

seems adding "cifs: Fix slab-out-of-bounds in send_set_info() on SMB2
ACE setting" (commit 748144f) [1] created a regression within linux
v4.14 kernel series. Writing to a mounted cifs either freezes on writing
or crashes the PC. A more detailed explanation you may find in our
forums [2]. Reverting the patch, seems to "fix" it. Thoughts?

Best, Philip
----------------------
Manjaro Project Lead

---

[1]
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/fs/cifs?h=linux-4.14.y&id=748144f35514aef14c4fdef5bcaa0db99cb9367a
[2] https://forum.manjaro.org/t/53250

---

FSTAB entries:

//192.168.0.100/TRANSFER /mnt/TRANSFER cifs
noperm,x-systemd.automount,iocharset=utf8,file_mode=0775,dir_mode=0775,user=xxx,pass=yyy,_netdev,noacl
0 0
//192.168.0.100/MEDIA /mnt/MEDIA cifs
noperm,x-systemd.automount,iocharset=utf8,file_mode=0775,dir_mode=0775,user=xxx,pass=yyy,_netdev,noacl
0 0

Message log:

[ 19.785788] No dialect specified on mount. Default has changed to a
more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To
use the less secure SMB1 dialect to access old servers which do not
support SMB3 (or SMB2.1) specify vers=1.0 on mount.
[ 20.652361] CIFS VFS: ioctl error in smb2_get_dfs_refer rc=-2
[ 20.814693] No dialect specified on mount. Default has changed to a
more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To
use the less secure SMB1 dialect to access old servers which do not
support SMB3 (or SMB2.1) specify vers=1.0 on mount.
[ 20.992157] CIFS VFS: ioctl error in smb2_get_dfs_refer rc=-2
[ 212.648892] cache_from_obj: Wrong slab cache. cifs_request but object
is from xfrm_dst_cache
[ 212.648951] ------------[ cut here ]------------
[ 212.648978] WARNING: CPU: 1 PID: 1379 at mm/slab.h:377
kmem_cache_free+0x14d/0x200
[ 212.648985] Modules linked in: md4 nls_utf8 cifs ccm dns_resolver
fscache cmac rfcomm fuse snd_hda_codec_hdmi snd_hda_codec_realtek
snd_hda_codec_generic snd_soc_skl snd_soc_skl_ipc snd_soc_sst_ipc
snd_soc_sst_dsp snd_hda_ext_core snd_soc_sst_match snd_soc_core bnep
snd_compress snd_pcm_dmaengine ac97_bus vmnet(O) intel_rapl
x86_pkg_temp_thermal intel_powerclamp coretemp arc4 kvm_intel i915
iTCO_wdt iTCO_vendor_support kvm iwlmvm ext4 mac80211 crc32c_generic
mbcache jbd2 fscrypto irqbypass crct10dif_pclmul crc32_pclmul
ghash_clmulni_intel pcbc wmi_bmof i2c_algo_bit snd_hda_intel
drm_kms_helper iwlwifi uvcvideo snd_hda_codec aesni_intel snd_hda_core
videobuf2_vmalloc aes_x86_64 videobuf2_memops crypto_simd glue_helper
btusb cryptd btrtl videobuf2_v4l2 btbcm intel_cstate videobuf2_core
snd_hwdep intel_rapl_perf
[ 212.649203] btintel drm e1000e cfg80211 bluetooth snd_pcm videodev
psmouse media snd_timer pcspkr ptp pps_core thinkpad_acpi i2c_i801 evdev
joydev mousedev input_leds mac_hid rtsx_pci_ms ecdh_generic crc16
memstick intel_gtt nvram agpgart snd shpchp soundcore mei_me syscopyarea
rfkill sysfillrect sysimgblt mei fb_sys_fops intel_pch_thermal thermal
led_class wmi battery ac video acpi_pad button sch_fq_codel vmmon(O)
vmw_vmci uinput crypto_user ip_tables x_tables btrfs xor zstd_decompress
zstd_compress xxhash hid_logitech_hidpp raid6_pq hid_logitech_dj usbhid
hid sd_mod rtsx_pci_sdmmc mmc_core serio_raw atkbd libps2 ahci libahci
xhci_pci libata xhci_hcd rtsx_pci usbcore scsi_mod usb_common i8042
serio crc32c_intel
[ 212.649453] CPU: 1 PID: 1379 Comm: pool Tainted: G O 4.14.57-1-MANJARO #1
[ 212.649457] Hardware name: LENOVO 20J4000LGE/20J4000LGE, BIOS R0GET60W
(1.60 ) 12/15/2017
[ 212.649465] task: ffff88a7197f8f00 task.stack: ffffb1dac2184000
[ 212.649481] RIP: 0010:kmem_cache_free+0x14d/0x200
[ 212.649488] RSP: 0018:ffffb1dac2187c90 EFLAGS: 00010246
[ 212.649497] RAX: 0000000000000050 RBX: ffff88a75ba90000 RCX:
0000000000000000
[ 212.649503] RDX: 0000000000000000 RSI: ffff88a77f4965d8 RDI:
ffff88a77f4965d8
[ 212.649509] RBP: ffff88a73962f380 R08: ffffffff8d474920 R09:
000000000000035c
[ 212.649515] R10: 0000000000000004 R11: ffffffff8e56a36d R12:
ffff88a75812c000
[ 212.649521] R13: ffff88a77489b600 R14: ffffb1dac2187d78 R15:
0000000000000000
[ 212.649531] FS: 00007f253ccc3700(0000) GS:ffff88a77f480000(0000)
knlGS:0000000000000000
[ 212.649538] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 212.649545] CR2: 00007f386b887810 CR3: 0000000211452003 CR4:
00000000003606e0
[ 212.649549] Call Trace:
[ 212.649657] cifs_buf_release.part.6+0x11/0x20 [cifs]
[ 212.649763] send_set_info+0x1ac/0x210 [cifs]
[ 212.649878] SMB2_rmdir+0x5d/0x80 [cifs]
[ 212.649977] smb2_open_op_close+0x1bd/0x220 [cifs]
[ 212.649992] ? __kmalloc+0x19e/0x220
[ 212.650080] ? build_path_from_dentry_optional_prefix+0x1c1/0x400 [cifs]
[ 212.650176] smb2_rmdir+0x25/0x30 [cifs]
[ 212.650271] cifs_rmdir+0xb8/0x290 [cifs]
[ 212.650287] vfs_rmdir+0xd1/0x140
[ 212.650300] do_rmdir+0x17d/0x1e0
[ 212.650318] do_syscall_64+0x67/0x100
[ 212.650332] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[ 212.650342] RIP: 0033:0x7f2558e5f647
[ 212.650348] RSP: 002b:00007f253ccc2b38 EFLAGS: 00000246 ORIG_RAX:
0000000000000054
[ 212.650359] RAX: ffffffffffffffda RBX: 00007f253801f500 RCX:
00007f2558e5f647
[ 212.650364] RDX: 00007f253ccc2b90 RSI: 0000563e90e93d40 RDI:
00007f253801f500
[ 212.650369] RBP: 0000563e90ab08c0 R08: 0000563e908c3468 R09:
0000563e908c3470
[ 212.650375] R10: 0000563e908df8c8 R11: 0000000000000246 R12:
00007f253ccc2b90
[ 212.650380] R13: 00007f253ccc2c20 R14: 00007f253ccc2b90 R15:
0000563e8ead215b
[ 212.650389] Code: fe ff ff 48 3b a8 d8 00 00 00 0f 84 83 00 00 00 48
8b 48 60 48 8b 55 60 48 c7 c6 20 44 c3 8d 48 c7 c7 00 48 e1 8d e8 8e 44
ed ff <0f> 0b e9 ca fe ff ff 65 8b 05 6d 51 e0 72 89 c0 48 0f a3 05 8b
[ 212.650572] —[ end trace 05a8377b2d80ea1c ]—
[ 212.680246] cache_from_obj: Wrong slab cache. cifs_request but object
is from xfrm_dst_cache
[ 212.725303] cache_from_obj: Wrong slab cache. cifs_request but object
is from xfrm_dst_cache
[ 212.740595] general protection fault: 0000 [#1] PREEMPT SMP PTI
[ 212.740602] Modules linked in: md4 nls_utf8 cifs ccm dns_resolver
fscache cmac rfcomm fuse snd_hda_codec_hdmi snd_hda_codec_realtek
snd_hda_codec_generic snd_soc_skl snd_soc_skl_ipc snd_soc_sst_ipc
snd_soc_sst_dsp snd_hda_ext_core snd_soc_sst_match snd_soc_core bnep
snd_compress snd_pcm_dmaengine ac97_bus vmnet(O) intel_rapl
x86_pkg_temp_thermal intel_powerclamp coretemp arc4 kvm_intel i915
iTCO_wdt iTCO_vendor_support kvm iwlmvm ext4 mac80211 crc32c_generic
mbcache jbd2 fscrypto irqbypass crct10dif_pclmul crc32_pclmul
ghash_clmulni_intel pcbc wmi_bmof i2c_algo_bit snd_hda_intel
drm_kms_helper iwlwifi uvcvideo snd_hda_codec aesni_intel snd_hda_core
videobuf2_vmalloc aes_x86_64 videobuf2_memops crypto_simd glue_helper
btusb cryptd btrtl videobuf2_v4l2 btbcm intel_cstate videobuf2_core
snd_hwdep intel_rapl_perf
[ 212.740687] btintel drm e1000e cfg80211 bluetooth snd_pcm videodev
psmouse media snd_timer pcspkr ptp pps_core thinkpad_acpi i2c_i801 evdev
joydev mousedev input_leds mac_hid rtsx_pci_ms ecdh_generic crc16
memstick intel_gtt nvram agpgart snd shpchp soundcore mei_me syscopyarea
rfkill sysfillrect sysimgblt mei fb_sys_fops intel_pch_thermal thermal
led_class wmi battery ac video acpi_pad button sch_fq_codel vmmon(O)
vmw_vmci uinput crypto_user ip_tables x_tables btrfs xor zstd_decompress
zstd_compress xxhash hid_logitech_hidpp raid6_pq hid_logitech_dj usbhid
hid sd_mod rtsx_pci_sdmmc mmc_core serio_raw atkbd libps2 ahci libahci
xhci_pci libata xhci_hcd rtsx_pci usbcore scsi_mod usb_common i8042
serio crc32c_intel
[ 212.740793] CPU: 1 PID: 1162 Comm: cifsd Tainted: G W O
4.14.57-1-MANJARO #1
[ 212.740797] Hardware name: LENOVO 20J4000LGE/20J4000LGE, BIOS R0GET60W
(1.60 ) 12/15/2017
[ 212.740802] task: ffff88a772a99e00 task.stack: ffffb1dac1ec8000
[ 212.740810] RIP: 0010:prefetch_freepointer+0x11/0x20
[ 212.740815] RSP: 0018:ffffb1dac1ecbde0 EFLAGS: 00010202
[ 212.740820] RAX: 0000000000000000 RBX: 0c24ecb2149c4fdf RCX:
0000000000012681
[ 212.740824] RDX: 0000000000012601 RSI: 0c24ecb2149c4fdf RDI:
ffff88a775401c80
[ 212.740828] RBP: 0000000001011200 R08: ffff88a775e78f00 R09:
0000000000000000
[ 212.740832] R10: 0000000000000000 R11: 000000002f32988b R12:
ffff88a75ba90000
[ 212.740836] R13: ffff88a775401c80 R14: ffff88a775401c80 R15:
ffffffff8d19a8b5
[ 212.740841] FS: 0000000000000000(0000) GS:ffff88a77f480000(0000)
knlGS:0000000000000000
[ 212.740845] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 212.740849] CR2: 00007f386b887810 CR3: 000000013200a006 CR4:
00000000003606e0
[ 212.740852] Call Trace:
[ 212.740861] kmem_cache_alloc+0x94/0x1a0
[ 212.740870] ? wait_woken+0x80/0x80
[ 212.740878] mempool_alloc+0x65/0x190
[ 212.740886] ? try_to_wake_up+0x54/0x4b0
[ 212.740925] cifs_small_buf_get+0x16/0x20 [cifs]
[ 212.740957] cifs_demultiplex_thread+0x619/0xb10 [cifs]
[ 212.740989] ? cifs_handle_standard+0x190/0x190 [cifs]
[ 212.740996] kthread+0x119/0x130
[ 212.741003] ? kthread_create_on_node+0x60/0x60
[ 212.741011] ret_from_fork+0x35/0x40
[ 212.741016] Code: 89 d3 e8 63 f9 47 00 85 c0 0f 85 b1 70 00 00 48 83
c4 08 5b 5d 41 5c 41 5d c3 0f 1f 44 00 00 48 85 f6 74 14 48 63 47 20 48
01 c6 <48> 33 36 48 33 b7 40 01 00 00 0f 18 0e c3 90 0f 1f 44 00 00 55
[ 212.741096] RIP: prefetch_freepointer+0x11/0x20 RSP: ffffb1dac1ecbde0
[ 212.741101] —[ end trace 05a8377b2d80ea1d ]—

Re: [PATCH 4.14 12/53] cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting

[Stefano Brivio]

On Wed, 25 Jul 2018 18:06:25 +0200
Philip Müller <philm@manjaro.org> wrote:

> Hi Greg, hi Stefano,
> 
> seems adding "cifs: Fix slab-out-of-bounds in send_set_info() on SMB2
> ACE setting" (commit 748144f) [1] created a regression within linux
> v4.14 kernel series. Writing to a mounted cifs either freezes on writing
> or crashes the PC. A more detailed explanation you may find in our
> forums [2]. Reverting the patch, seems to "fix" it. Thoughts?

Hi Philip,

thanks for reporting this.

My bad, I didn't check how the backport of f46ecbd97f50 ("cifs: Fix
slab-out-of-bounds in send_set_info() on SMB2 ACE setting") looked like on
4.14. As 4.14 doesn't have commit 2fc803efe614 ("cifs: remove rfc1002
header from smb2_set_info_req"), the effect is substantially different.

Greg, I would need some time to check if we actually need this at all on
4.14, to do a proper backport in case and to run tests. Could you please
revert this on 4.14.y for the moment being? If a backport is needed, I'll
send it later on. Thanks!

-- 
Stefano

Re: [PATCH 4.14 12/53] cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting

[Greg Kroah-Hartman]

On Thu, Jul 26, 2018 at 08:12:02AM +1000, Stefano Brivio wrote:
> On Wed, 25 Jul 2018 18:06:25 +0200
> Philip M�ller <philm@manjaro.org> wrote:
> 
> > Hi Greg, hi Stefano,
> > 
> > seems adding "cifs: Fix slab-out-of-bounds in send_set_info() on SMB2
> > ACE setting" (commit 748144f) [1] created a regression within linux
> > v4.14 kernel series. Writing to a mounted cifs either freezes on writing
> > or crashes the PC. A more detailed explanation you may find in our
> > forums [2]. Reverting the patch, seems to "fix" it. Thoughts?
> 
> Hi Philip,
> 
> thanks for reporting this.
> 
> My bad, I didn't check how the backport of f46ecbd97f50 ("cifs: Fix
> slab-out-of-bounds in send_set_info() on SMB2 ACE setting") looked like on
> 4.14. As 4.14 doesn't have commit 2fc803efe614 ("cifs: remove rfc1002
> header from smb2_set_info_req"), the effect is substantially different.
> 
> Greg, I would need some time to check if we actually need this at all on
> 4.14, to do a proper backport in case and to run tests. Could you please
> revert this on 4.14.y for the moment being? If a backport is needed, I'll
> send it later on. Thanks!

Now reverted, thanks.

greg k-h

[PATCH 4.14 12/53] cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting

[Greg Kroah-Hartman]

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stefano Brivio <sbrivio@redhat.com>

commit f46ecbd97f508e68a7806291a139499794874f3d upstream.

A "small" CIFS buffer is not big enough in general to hold a
setacl request for SMB2, and we end up overflowing the buffer in
send_set_info(). For instance:

 # mount.cifs //127.0.0.1/test /mnt/test -o username=test,password=test,nounix,cifsacl
 # touch /mnt/test/acltest
 # getcifsacl /mnt/test/acltest
 REVISION:0x1
 CONTROL:0x9004
 OWNER:S-1-5-21-2926364953-924364008-418108241-1000
 GROUP:S-1-22-2-1001
 ACL:S-1-5-21-2926364953-924364008-418108241-1000:ALLOWED/0x0/0x1e01ff
 ACL:S-1-22-2-1001:ALLOWED/0x0/R
 ACL:S-1-22-2-1001:ALLOWED/0x0/R
 ACL:S-1-5-21-2926364953-924364008-418108241-1000:ALLOWED/0x0/0x1e01ff
 ACL:S-1-1-0:ALLOWED/0x0/R
 # setcifsacl -a "ACL:S-1-22-2-1004:ALLOWED/0x0/R" /mnt/test/acltest

this setacl will cause the following KASAN splat:

[  330.777927] BUG: KASAN: slab-out-of-bounds in send_set_info+0x4dd/0xc20 [cifs]
[  330.779696] Write of size 696 at addr ffff88010d5e2860 by task setcifsacl/1012

[  330.781882] CPU: 1 PID: 1012 Comm: setcifsacl Not tainted 4.18.0-rc2+ #2
[  330.783140] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[  330.784395] Call Trace:
[  330.784789]  dump_stack+0xc2/0x16b
[  330.786777]  print_address_description+0x6a/0x270
[  330.787520]  kasan_report+0x258/0x380
[  330.788845]  memcpy+0x34/0x50
[  330.789369]  send_set_info+0x4dd/0xc20 [cifs]
[  330.799511]  SMB2_set_acl+0x76/0xa0 [cifs]
[  330.801395]  set_smb2_acl+0x7ac/0xf30 [cifs]
[  330.830888]  cifs_xattr_set+0x963/0xe40 [cifs]
[  330.840367]  __vfs_setxattr+0x84/0xb0
[  330.842060]  __vfs_setxattr_noperm+0xe6/0x370
[  330.843848]  vfs_setxattr+0xc2/0xd0
[  330.845519]  setxattr+0x258/0x320
[  330.859211]  path_setxattr+0x15b/0x1b0
[  330.864392]  __x64_sys_setxattr+0xc0/0x160
[  330.866133]  do_syscall_64+0x14e/0x4b0
[  330.876631]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  330.878503] RIP: 0033:0x7ff2e507db0a
[  330.880151] Code: 48 8b 0d 89 93 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 56 93 2c 00 f7 d8 64 89 01 48
[  330.885358] RSP: 002b:00007ffdc4903c18 EFLAGS: 00000246 ORIG_RAX: 00000000000000bc
[  330.887733] RAX: ffffffffffffffda RBX: 000055d1170de140 RCX: 00007ff2e507db0a
[  330.890067] RDX: 000055d1170de7d0 RSI: 000055d115b39184 RDI: 00007ffdc4904818
[  330.892410] RBP: 0000000000000001 R08: 0000000000000000 R09: 000055d1170de7e4
[  330.894785] R10: 00000000000002b8 R11: 0000000000000246 R12: 0000000000000007
[  330.897148] R13: 000055d1170de0c0 R14: 0000000000000008 R15: 000055d1170de550

[  330.901057] Allocated by task 1012:
[  330.902888]  kasan_kmalloc+0xa0/0xd0
[  330.904714]  kmem_cache_alloc+0xc8/0x1d0
[  330.906615]  mempool_alloc+0x11e/0x380
[  330.908496]  cifs_small_buf_get+0x35/0x60 [cifs]
[  330.910510]  smb2_plain_req_init+0x4a/0xd60 [cifs]
[  330.912551]  send_set_info+0x198/0xc20 [cifs]
[  330.914535]  SMB2_set_acl+0x76/0xa0 [cifs]
[  330.916465]  set_smb2_acl+0x7ac/0xf30 [cifs]
[  330.918453]  cifs_xattr_set+0x963/0xe40 [cifs]
[  330.920426]  __vfs_setxattr+0x84/0xb0
[  330.922284]  __vfs_setxattr_noperm+0xe6/0x370
[  330.924213]  vfs_setxattr+0xc2/0xd0
[  330.926008]  setxattr+0x258/0x320
[  330.927762]  path_setxattr+0x15b/0x1b0
[  330.929592]  __x64_sys_setxattr+0xc0/0x160
[  330.931459]  do_syscall_64+0x14e/0x4b0
[  330.933314]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[  330.936843] Freed by task 0:
[  330.938588] (stack is not available)

[  330.941886] The buggy address belongs to the object at ffff88010d5e2800
 which belongs to the cache cifs_small_rq of size 448
[  330.946362] The buggy address is located 96 bytes inside of
 448-byte region [ffff88010d5e2800, ffff88010d5e29c0)
[  330.950722] The buggy address belongs to the page:
[  330.952789] page:ffffea0004357880 count:1 mapcount:0 mapping:ffff880108fdca80 index:0x0 compound_mapcount: 0
[  330.955665] flags: 0x17ffffc0008100(slab|head)
[  330.957760] raw: 0017ffffc0008100 dead000000000100 dead000000000200 ffff880108fdca80
[  330.960356] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[  330.963005] page dumped because: kasan: bad access detected

[  330.967039] Memory state around the buggy address:
[  330.969255]  ffff88010d5e2880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  330.971833]  ffff88010d5e2900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  330.974397] >ffff88010d5e2980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[  330.976956]                                            ^
[  330.979226]  ffff88010d5e2a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  330.981755]  ffff88010d5e2a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  330.984225] ==================================================================

Fix this by allocating a regular CIFS buffer in
smb2_plain_req_init() if the request command is SMB2_SET_INFO.

Reported-by: Jianhong Yin <jiyin@redhat.com>
Fixes: 366ed846df60 ("cifs: Use smb 2 - 3 and cifsacl mount options setacl function")
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-and-tested-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/smb2pdu.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -338,7 +338,10 @@ smb2_plain_req_init(__le16 smb2_command,
 		return rc;
 
 	/* BB eventually switch this to SMB2 specific small buf size */
-	*request_buf = cifs_small_buf_get();
+	if (smb2_command == SMB2_SET_INFO)
+		*request_buf = cifs_buf_get();
+	else
+		*request_buf = cifs_small_buf_get();
 	if (*request_buf == NULL) {
 		/* BB should we add a retry in here if not a writepage? */
 		return -ENOMEM;
@@ -3168,7 +3171,7 @@ send_set_info(const unsigned int xid, st
 	}
 
 	rc = SendReceive2(xid, ses, iov, num, &resp_buftype, flags, &rsp_iov);
-	cifs_small_buf_release(req);
+	cifs_buf_release(req);
 	rsp = (struct smb2_set_info_rsp *)rsp_iov.iov_base;
 
 	if (rc != 0)