From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> This reverts commit c54a881d793e3eea2a1b1460c5778b22128821ea which is commit 05fd5c2c61732152a6bddc318aae62d7e436629b upstream. Lars writes: This patch should not be in 4.14-stable because 088aaf17aa79300cab14dbee2569c58cfafd7d6e was for 4.18+. Now we have a double-free crash in SMB2_read because there are 2 calls to cifs_small_buf_release in the error path. It was a mistake to backport it this far, so let's revert it. Reported-by: Lars Persson <lists@xxxxxxx> Cc: Ronnie Sahlberg <lsahlber@xxxxxxxxxx> Cc: Pavel Shilovsky <pshilov@xxxxxxxxxxxxx> Cc: Steve French <stfrench@xxxxxxxxxxxxx> Cc: Sasha Levin <alexander.levin@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/cifs/smb2pdu.c | 1 - 1 file changed, 1 deletion(-) --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -2699,7 +2699,6 @@ SMB2_read(const unsigned int xid, struct cifs_dbg(VFS, "Send error in read = %d\n", rc); } free_rsp_buf(resp_buftype, rsp_iov.iov_base); - cifs_small_buf_release(req); return rc == -ENODATA ? 0 : rc; }
