smb: client: fix memory leak during error handling for POSIX mkdir

commit 1fe4a44b7fa3955bcb7b4067c07b778fe90d8ee7 upstream.

The response buffer for the CREATE request handled by smb311_posix_mkdir()
is leaked on the error path (goto err_free_rsp_buf) because the structure
pointer *rsp passed to free_rsp_buf() is not assigned until *after* the
error condition is checked.

As *rsp is initialised to NULL, free_rsp_buf() becomes a no-op and the leak
is instead reported by __kmem_cache_shutdown() upon subsequent rmmod of
cifs.ko if (and only if) the error path has been hit.

Pass rsp_iov.iov_base to free_rsp_buf() instead, similar to the code in
other functions in smb2pdu.c for which *rsp is assigned late.

Cc: stable@vger.kernel.org
Signed-off-by: Jethro Donaldson <devel@jro.nz>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
index 4536b6fcfa0256c2692f1a8d92897e5fd0038c4f..3e88e8b3c16ec2011843f93e303620675a687a81 100644 (file)
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -2979,7 +2979,7 @@ replay_again:
        /* Eventually save off posix specific response info and timestaps */
 
 err_free_rsp_buf:
-       free_rsp_buf(resp_buftype, rsp);
+       free_rsp_buf(resp_buftype, rsp_iov.iov_base);
        kfree(pc_buf);
 err_free_req:
        cifs_small_buf_release(req);