]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
smb: client: fix double-free in SMB2_flush() replay
authorZhao Zhang <zzhan461@ucr.edu>
Thu, 18 Jun 2026 15:28:05 +0000 (23:28 +0800)
committerSteve French <stfrench@microsoft.com>
Thu, 18 Jun 2026 23:10:27 +0000 (18:10 -0500)
SMB2_flush() keeps its response buffer bookkeeping across replay
attempts. If a replayable flush response is received and the retry then
fails before cifs_send_recv() stores a replacement response, flush_exit
will free the stale response pointer a second time.

Reinitialize resp_buftype and rsp_iov at the top of the replay loop so
cleanup only acts on response state produced by the current attempt.
This fixes a double-free without changing replay handling for successful
requests.

Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set")
Cc: stable@vger.kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:GPT-5.4
Acked-by: Henrique Carvalho <henrique.carvalho@suse.com>
Signed-off-by: Zhao Zhang <zzhan461@ucr.edu>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Steve French <stfrench@microsoft.com>
fs/smb/client/smb2pdu.c

index 3c7691b393777019b4554695f2e68b0af0056ae0..318559cd00db88ce6d391f66792b11fb53b12719 100644 (file)
@@ -4450,6 +4450,8 @@ SMB2_flush(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
 
 replay_again:
        /* reinitialize for possible replay */
+       resp_buftype = CIFS_NO_BUFFER;
+       memset(&rsp_iov, 0, sizeof(rsp_iov));
        flags = 0;
        server = cifs_pick_channel(ses);