smb: client: fix oops due to uninitialised var in smb2_unlink()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

If SMB2_open_init() or SMB2_close_init() fails (e.g. reconnect), the
iovs set @rqst will be left uninitialised, hence calling
SMB2_open_free(), SMB2_close_free() or smb2_set_related() on them will
oops.

Fix this by initialising @close_iov and @open_iov before setting them
in @rqst.

Reported-by: Thiago Becker <tbecker@redhat.com>
Fixes: 1cf9f2a6a544 ("smb: client: handle unlink(2) of files open by different clients")
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Cc: David Howells <dhowells@redhat.com>
Cc: linux-cifs@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>

authored by

Paulo Alcantara and committed by

Steve French 1 week ago 048efe12 340cea84

+3 -1

1 changed file

expand all

smb

client

smb2inode.c

+3 -1

fs/smb/client/smb2inode.c

··· 1216 1216 memset(resp_buftype, 0, sizeof(resp_buftype)); 1217 1217 memset(rsp_iov, 0, sizeof(rsp_iov)); 1218 1218 1219 + memset(open_iov, 0, sizeof(open_iov)); 1219 1220 rqst[0].rq_iov = open_iov; 1220 1221 rqst[0].rq_nvec = ARRAY_SIZE(open_iov); 1221 1222 ··· 1241 1240 creq = rqst[0].rq_iov[0].iov_base; 1242 1241 creq->ShareAccess = FILE_SHARE_DELETE_LE; 1243 1242 1243 + memset(&close_iov, 0, sizeof(close_iov)); 1244 1244 rqst[1].rq_iov = &close_iov; 1245 1245 rqst[1].rq_nvec = 1; 1246 1246 1247 1247 rc = SMB2_close_init(tcon, server, &rqst[1], 1248 1248 COMPOUND_FID, COMPOUND_FID, false); 1249 - smb2_set_related(&rqst[1]); 1250 1249 if (rc) 1251 1250 goto err_free; 1251 + smb2_set_related(&rqst[1]); 1252 1252 1253 1253 if (retries) { 1254 1254 /* Back-off before retry */