]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
smb: client: fix double-free in SMB2_close() replay
authorHenrique Carvalho <henrique.carvalho@suse.com>
Thu, 18 Jun 2026 20:34:35 +0000 (17:34 -0300)
committerSteve French <stfrench@microsoft.com>
Thu, 18 Jun 2026 23:12:23 +0000 (18:12 -0500)
A response-bearing attempt can return a replayable error and free its
response buffer. If SMB2_close_init() fails before the next send, cleanup
retains the previous buffer type and frees that response again.

Reset response bookkeeping before each attempt to prevent the stale free.

Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set")
Cc: stable@vger.kernel.org
Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
fs/smb/client/smb2pdu.c

index 121ae914c3cf9378afa24a72a76cfd237897c3ea..a7b1fbe28a2d0b8d21216d66bb3f909ca3cde1b3 100644 (file)
@@ -3728,6 +3728,8 @@ __SMB2_close(const unsigned int xid, struct cifs_tcon *tcon,
 
 replay_again:
        /* reinitialize for possible replay */
+       resp_buftype = CIFS_NO_BUFFER;
+       memset(&rsp_iov, 0, sizeof(rsp_iov));
        flags = 0;
        query_attrs = false;
        server = cifs_pick_channel(ses);