aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
authorHenrique Carvalho <henrique.carvalho@suse.com>2026-06-18 17:34:37 -0300
committerSteve French <stfrench@microsoft.com>2026-06-18 18:12:23 -0500
commit145f820dcbb2cced374f2532f8a61a44dce4a615 (patch)
tree3ec90727fb0180864a6a51c67b255e2e1b60e9b8 /fs
parent2a88561d66eb855813cf004a0abe648bbb17de5e (diff)
downloadath-145f820dcbb2cced374f2532f8a61a44dce4a615.tar.gz
smb: client: fix change notify replay double-free
A response-bearing attempt can return a replayable error and free its response buffer. If SMB2_notify_init() fails before the next send, cleanup retains the previous buffer type and frees that response again. Reset response bookkeeping before each attempt to prevent the stale free. Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set") Cc: stable@vger.kernel.org Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com> Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'fs')
-rw-r--r--fs/smb/client/smb2pdu.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
index 6e6aed87ab0a0..7d4b37b776c5e 100644
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -4116,6 +4116,8 @@ SMB2_change_notify(const unsigned int xid, struct cifs_tcon *tcon,
replay_again:
/* reinitialize for possible replay */
+ resp_buftype = CIFS_NO_BUFFER;
+ memset(&rsp_iov, 0, sizeof(rsp_iov));
flags = 0;
server = cifs_pick_channel(ses);