smb: client: fix oops due to uninitialised var in smb2_unlink()

If SMB2_open_init() or SMB2_close_init() fails (e.g. reconnect), the
iovs set @rqst will be left uninitialised, hence calling
SMB2_open_free(), SMB2_close_free() or smb2_set_related() on them will
oops.

Fix this by initialising @close_iov and @open_iov before setting them
in @rqst.

Reported-by: Thiago Becker <tbecker@redhat.com>
Fixes: 1cf9f2a6a544 ("smb: client: handle unlink(2) of files open by different clients")
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Cc: David Howells <dhowells@redhat.com>
Cc: linux-cifs@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c
index 1c4663ed7e69b6e0c463605d9e46a5ec97d5193e..5280c5c869ad5c1b2c7d1a87aad4ce5c1d0561be 100644 (file)
--- a/fs/smb/client/smb2inode.c
+++ b/fs/smb/client/smb2inode.c
@@ -1216,6 +1216,7 @@ again:
        memset(resp_buftype, 0, sizeof(resp_buftype));
        memset(rsp_iov, 0, sizeof(rsp_iov));
 
+       memset(open_iov, 0, sizeof(open_iov));
        rqst[0].rq_iov = open_iov;
        rqst[0].rq_nvec = ARRAY_SIZE(open_iov);
 
@@ -1240,14 +1241,15 @@ again:
        creq = rqst[0].rq_iov[0].iov_base;
        creq->ShareAccess = FILE_SHARE_DELETE_LE;
 
+       memset(&close_iov, 0, sizeof(close_iov));
        rqst[1].rq_iov = &close_iov;
        rqst[1].rq_nvec = 1;
 
        rc = SMB2_close_init(tcon, server, &rqst[1],
                             COMPOUND_FID, COMPOUND_FID, false);
-       smb2_set_related(&rqst[1]);
        if (rc)
                goto err_free;
+       smb2_set_related(&rqst[1]);
 
        if (retries) {
                /* Back-off before retry */