From: Henrique Carvalho Date: Thu, 18 Jun 2026 20:34:34 +0000 (-0300) Subject: smb: client: fix double-free in SMB2_ioctl() replay X-Git-Tag: v7.2-rc1~24^2~14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f9bbadb6c94583e3b4af1afc449bfceb1d1ddec9;p=thirdparty%2Fkernel%2Flinux.git smb: client: fix double-free in SMB2_ioctl() replay A response-bearing attempt can return a replayable error and free its response buffer. If SMB2_ioctl_init() fails before the next send, cleanup retains the previous buffer type and frees that response again. Reset response bookkeeping before each attempt to prevent the stale free. Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set") Cc: stable@vger.kernel.org Signed-off-by: Henrique Carvalho Signed-off-by: Steve French --- diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c index 4d6a989748f90..121ae914c3cf9 100644 --- a/fs/smb/client/smb2pdu.c +++ b/fs/smb/client/smb2pdu.c @@ -3532,6 +3532,8 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid, replay_again: /* reinitialize for possible replay */ + resp_buftype = CIFS_NO_BUFFER; + memset(&rsp_iov, 0, sizeof(rsp_iov)); flags = 0; server = cifs_pick_channel(ses);