Commit 99f42415 authored by Paulo Alcantara's avatar Paulo Alcantara Committed by Long Li
Browse files

smb: client: fix double put of @cfile in smb2_rename_path() 

stable inclusion
from stable-v6.6.50
commit b27ea9c96efd2c252a981fb00d0f001b86c90f3e
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWJS
CVE: CVE-2024-46736

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=tags/v6.6.51&id=b27ea9c96efd2c252a981fb00d0f001b86c90f3e



--------------------------------

[ Upstream commit 3523a3df03c6f04f7ea9c2e7050102657e331a4f ]

If smb2_set_path_attr() is called with a valid @cfile and returned
-EINVAL, we need to call cifs_get_writable_path() again as the
reference of @cfile was already dropped by previous smb2_compound_op()
call.

Fixes: 71f15c90e785 ("smb: client: retry compound request without reusing lease")
Signed-off-by: default avatarPaulo Alcantara (Red Hat) <pc@manguebit.com>
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarLong Li <leo.lilong@huawei.com>
parent 32dc9125

fs/smb/client/smb2inode.c

+2 −0
Original line number Diff line number Diff line
@@ -1105,6 +1105,8 @@ int smb2_rename_path(const unsigned int xid, 
				  co, DELETE, SMB2_OP_RENAME, cfile, source_dentry);

	if (rc == -EINVAL) {

		cifs_dbg(FYI, "invalid lease key, resending request without lease");

		cifs_get_writable_path(tcon, from_name,

				       FIND_WR_WITH_DELETE, &cfile);

		rc = smb2_set_path_attr(xid, tcon, from_name, to_name, cifs_sb,

				  co, DELETE, SMB2_OP_RENAME, cfile, NULL);

	}