aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
authorHenrique Carvalho <henrique.carvalho@suse.com>2026-06-18 17:34:35 -0300
committerSteve French <stfrench@microsoft.com>2026-06-18 18:12:23 -0500
commitf96e1cdcb63ed3321142ff2fcdf784e32cda8fee (patch)
tree21fdc7cf19a04ba8064396044907a1d5146a5a66 /fs
parentf9bbadb6c94583e3b4af1afc449bfceb1d1ddec9 (diff)
downloadath-f96e1cdcb63ed3321142ff2fcdf784e32cda8fee.tar.gz
smb: client: fix double-free in SMB2_close() replay
A response-bearing attempt can return a replayable error and free its response buffer. If SMB2_close_init() fails before the next send, cleanup retains the previous buffer type and frees that response again. Reset response bookkeeping before each attempt to prevent the stale free. Fixes: 4f1fffa23769 ("cifs: commands that are retried should have replay flag set") Cc: stable@vger.kernel.org Signed-off-by: Henrique Carvalho <henrique.carvalho@suse.com> Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'fs')
-rw-r--r--fs/smb/client/smb2pdu.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
index 121ae914c3cf9..a7b1fbe28a2d0 100644
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -3728,6 +3728,8 @@ __SMB2_close(const unsigned int xid, struct cifs_tcon *tcon,
replay_again:
/* reinitialize for possible replay */
+ resp_buftype = CIFS_NO_BUFFER;
+ memset(&rsp_iov, 0, sizeof(rsp_iov));
flags = 0;
query_attrs = false;
server = cifs_pick_channel(ses);