Re: [PATCH] smb/client: Fix error code in smb2_aead_req_alloc()
From: Steve French
Date: Thu Jun 11 2026 - 16:38:02 EST
merged into cifs-2.6.git for-next
On Thu, Jun 11, 2026 at 4:00 AM Dan Carpenter via samba-technical
<samba-technical@xxxxxxxxxxxxxxx> wrote:
>
> The "*num_sgs" variable is a u32 so "ERR_PTR(*num_sgs)" doesn't work.
> We would have to do something similar to the previous line where it's
> cast to int and then long. However, it's simpler to store the return in
> an int ret variable.
>
> This bug would eventually result in a crash when dereference the invalid
> error pointer.
>
> Fixes: d08089f649a0 ("cifs: Change the I/O paths to use an iterator rather than a page list")
> Cc: stable@xxxxxxxxxx
> Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>
> ---
> fs/smb/client/smb2ops.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
> index a3257815e661..a8f8feeeccb5 100644
> --- a/fs/smb/client/smb2ops.c
> +++ b/fs/smb/client/smb2ops.c
> @@ -4359,11 +4359,13 @@ static void *smb2_aead_req_alloc(struct crypto_aead *tfm, const struct smb_rqst
> unsigned int req_size = sizeof(**req) + crypto_aead_reqsize(tfm);
> unsigned int iv_size = crypto_aead_ivsize(tfm);
> unsigned int len;
> + int ret;
> u8 *p;
>
> - *num_sgs = cifs_get_num_sgs(rqst, num_rqst, sig);
> - if (IS_ERR_VALUE((long)(int)*num_sgs))
> - return ERR_PTR(*num_sgs);
> + ret = cifs_get_num_sgs(rqst, num_rqst, sig);
> + if (ret < 0)
> + return ERR_PTR(ret);
> + *num_sgs = ret;
>
> len = iv_size;
> len += crypto_aead_alignmask(tfm) & ~(crypto_tfm_ctx_alignment() - 1);
> --
> 2.53.0
>
>
--
Thanks,
Steve