diff options
| author |   Jethro Donaldson <devel@jro.nz> | 2025-05-15 01:23:23 +1200 |
|---|---|---|
| committer |   Steve French <stfrench@microsoft.com> | 2025-05-14 19:26:15 -0500 |
| commit | 1fe4a44b7fa3955bcb7b4067c07b778fe90d8ee7 (patch) | |
| tree | e22246228790c15a0ea24dbdbb7eccfc704318f1 | |
| parent | Linux 6.15-rc6 (diff) | |
| download | wireguard-linux-1fe4a44b7fa3955bcb7b4067c07b778fe90d8ee7.tar.xz wireguard-linux-1fe4a44b7fa3955bcb7b4067c07b778fe90d8ee7.zip | |
smb: client: fix memory leak during error handling for POSIX mkdir
The response buffer for the CREATE request handled by smb311_posix_mkdir()
is leaked on the error path (goto err_free_rsp_buf) because the structure
pointer *rsp passed to free_rsp_buf() is not assigned until *after* the
error condition is checked.
As *rsp is initialised to NULL, free_rsp_buf() becomes a no-op and the leak
is instead reported by __kmem_cache_shutdown() upon subsequent rmmod of
cifs.ko if (and only if) the error path has been hit.
Pass rsp_iov.iov_base to free_rsp_buf() instead, similar to the code in
other functions in smb2pdu.c for which *rsp is assigned late.
Cc: stable@vger.kernel.org
Signed-off-by: Jethro Donaldson <devel@jro.nz>
Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to '')
| -rw-r--r-- | fs/smb/client/smb2pdu.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c index 0b35816d551f..4e28632b5fd6 100644 --- a/fs/smb/client/smb2pdu.c +++ b/fs/smb/client/smb2pdu.c @@ -2968,7 +2968,7 @@ replay_again: /* Eventually save off posix specific response info and timestamps */ err_free_rsp_buf: - free_rsp_buf(resp_buftype, rsp); + free_rsp_buf(resp_buftype, rsp_iov.iov_base); kfree(pc_buf); err_free_req: cifs_small_buf_release(req); |