From: Paulo Alcantara <pc@manguebit.org> mainline inclusion from mainline-v7.0-rc1 commit ebbbc4bfad4cb355d17c671223d0814ee3ef4eda category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/13761 CVE: CVE-2026-23205 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Zero out @err_iov and @err_buftype before retrying SMB2_open() to prevent an UAF bug if @data != NULL, otherwise a double free. Fixes: e3a43633023e ("smb/client: fix memory leak in smb2_open_file()") Reported-by: David Howells <dhowells@redhat.com> Closes: https://lore.kernel.org/r/2892312.1770306653@warthog.procyon.org.uk Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org> Reviewed-by: David Howells <dhowells@redhat.com> Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Cc: linux-cifs@vger.kernel.org Signed-off-by: Steve French <stfrench@microsoft.com> Conflicts: fs/smb/client/smb2file.c [Simple context conflicts, which does not affect this patch.] Signed-off-by: Zizhi Wo <wozizhi@huawei.com> --- fs/smb/client/smb2file.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/smb/client/smb2file.c b/fs/smb/client/smb2file.c index d436057ed77e..4e7d5c612256 100644 --- a/fs/smb/client/smb2file.c +++ b/fs/smb/client/smb2file.c @@ -123,6 +123,8 @@ int smb2_open_file(const unsigned int xid, struct cifs_open_parms *oparms, __u32 &err_buftype); if (rc == -EACCES && retry_without_read_attributes) { free_rsp_buf(err_buftype, err_iov.iov_base); + memset(&err_iov, 0, sizeof(err_iov)); + err_buftype = CIFS_NO_BUFFER; oparms->desired_access &= ~FILE_READ_ATTRIBUTES; rc = SMB2_open(xid, oparms, smb2_path, &smb2_oplock, smb2_data, NULL, &err_iov, &err_buftype); -- 2.39.2