From: Paulo Alcantara <pc@manguebit.org>
To: smfrench@gmail.com
Cc: Thiago Becker <tbecker@redhat.com>,
"Paulo Alcantara (Red Hat)" <pc@manguebit.org>,
David Howells <dhowells@redhat.com>,
linux-cifs@vger.kernel.org, stable@vger.kernel.org
Subject: [PATCH] smb: client: fix oops due to uninitialised var in smb2_unlink()
Date: Thu, 5 Mar 2026 21:57:06 -0300 [thread overview]
Message-ID: <20260306005706.830672-1-pc@manguebit.org> (raw)
If SMB2_open_init() or SMB2_close_init() fails (e.g. reconnect), the
iovs set @rqst will be left uninitialised, hence calling
SMB2_open_free(), SMB2_close_free() or smb2_set_related() on them will
oops.
Fix this by initialising @close_iov and @open_iov before setting them
in @rqst.
Reported-by: Thiago Becker <tbecker@redhat.com>
Fixes: 1cf9f2a6a544 ("smb: client: handle unlink(2) of files open by different clients")
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Cc: David Howells <dhowells@redhat.com>
Cc: linux-cifs@vger.kernel.org
Cc: stable@vger.kernel.org
---
fs/smb/client/smb2inode.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c
index 1c4663ed7e69..5280c5c869ad 100644
--- a/fs/smb/client/smb2inode.c
+++ b/fs/smb/client/smb2inode.c
@@ -1216,6 +1216,7 @@ smb2_unlink(const unsigned int xid, struct cifs_tcon *tcon, const char *name,
memset(resp_buftype, 0, sizeof(resp_buftype));
memset(rsp_iov, 0, sizeof(rsp_iov));
+ memset(open_iov, 0, sizeof(open_iov));
rqst[0].rq_iov = open_iov;
rqst[0].rq_nvec = ARRAY_SIZE(open_iov);
@@ -1240,14 +1241,15 @@ smb2_unlink(const unsigned int xid, struct cifs_tcon *tcon, const char *name,
creq = rqst[0].rq_iov[0].iov_base;
creq->ShareAccess = FILE_SHARE_DELETE_LE;
+ memset(&close_iov, 0, sizeof(close_iov));
rqst[1].rq_iov = &close_iov;
rqst[1].rq_nvec = 1;
rc = SMB2_close_init(tcon, server, &rqst[1],
COMPOUND_FID, COMPOUND_FID, false);
+ if (rc)
+ goto err_free;
smb2_set_related(&rqst[1]);
- if (rc)
- goto err_free;
if (retries) {
/* Back-off before retry */
--
2.53.0
next reply other threads:[~2026-03-06 0:57 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-06 0:57 Paulo Alcantara [this message]
2026-03-06 19:33 ` [PATCH] smb: client: fix oops due to uninitialised var in smb2_unlink() Henrique Carvalho
2026-03-06 22:51 ` Paulo Alcantara
2026-03-11 18:05 ` Henrique Carvalho
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260306005706.830672-1-pc@manguebit.org \
--to=pc@manguebit.org \
--cc=dhowells@redhat.com \
--cc=linux-cifs@vger.kernel.org \
--cc=smfrench@gmail.com \
--cc=stable@vger.kernel.org \
--cc=tbecker@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox