aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
authorHenrique Carvalho <henrique.carvalho@suse.com>2026-06-18 17:34:38 -0300
committerSteve French <stfrench@microsoft.com>2026-06-18 18:12:23 -0500
commit9647492b5e41954be59d5157eddbcd4cdc1656f7 (patch)
treec5739b6d08c92b6707b9913f24956152947b30f1 /fs
parent145f820dcbb2cced374f2532f8a61a44dce4a615 (diff)
downloadath-9647492b5e41954be59d5157eddbcd4cdc1656f7.tar.gz
smb: client: fix query directory replay double-free
A response-bearing attempt can return a replayable error and free its response buffer. If SMB2_query_directory_init() fails before the next send, cleanup retains the previous buffer type and frees that response again. Reset response bookkeeping before each attempt to prevent the stale free. Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set") Cc: stable@vger.kernel.org Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com> Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'fs')
-rw-r--r--fs/smb/client/smb2pdu.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
index 7d4b37b776c5e..85642ea992d57 100644
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -5720,6 +5720,8 @@ SMB2_query_directory(const unsigned int xid, struct cifs_tcon *tcon,
replay_again:
/* reinitialize for possible replay */
+ resp_buftype = CIFS_NO_BUFFER;
+ memset(&rsp_iov, 0, sizeof(rsp_iov));
flags = 0;
server = cifs_pick_channel(ses);