| Message ID | 20231121134347.3117-1-rbudhiraja@microsoft.com |
|---|---|
| State | New |
| Headers | show |
| Series | cifs: fix use after free for iface while disabling secondary channels | expand |
tentatively merged into for-next pending testing On Tue, Nov 21, 2023 at 7:44 AM Ritvik Budhiraja <budhirajaritviksmb@gmail.com> wrote: > > We were deferencing iface after it has been released. Fix is to > release after all dereference instances have been encountered. > > Signed-off-by: Ritvik Budhiraja <rbudhiraja@microsoft.com> > Reported-by: kernel test robot <lkp@intel.com> > Reported-by: Dan Carpenter <error27@gmail.com> > Closes: https://lore.kernel.org/r/202311110815.UJaeU3Tt-lkp@intel.com/ > --- > fs/smb/client/sess.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/smb/client/sess.c b/fs/smb/client/sess.c > index 8b2d7c1ca428..816e01c5589b 100644 > --- a/fs/smb/client/sess.c > +++ b/fs/smb/client/sess.c > @@ -332,10 +332,10 @@ cifs_disable_secondary_channels(struct cifs_ses *ses) > > if (iface) { > spin_lock(&ses->iface_lock); > - kref_put(&iface->refcount, release_iface); > iface->num_channels--; > if (iface->weight_fulfilled) > iface->weight_fulfilled--; > + kref_put(&iface->refcount, release_iface); > spin_unlock(&ses->iface_lock); > } > > -- > 2.34.1 >
diff --git a/fs/smb/client/sess.c b/fs/smb/client/sess.c index 8b2d7c1ca428..816e01c5589b 100644 --- a/fs/smb/client/sess.c +++ b/fs/smb/client/sess.c @@ -332,10 +332,10 @@ cifs_disable_secondary_channels(struct cifs_ses *ses) if (iface) { spin_lock(&ses->iface_lock); - kref_put(&iface->refcount, release_iface); iface->num_channels--; if (iface->weight_fulfilled) iface->weight_fulfilled--; + kref_put(&iface->refcount, release_iface); spin_unlock(&ses->iface_lock); }
We were deferencing iface after it has been released. Fix is to release after all dereference instances have been encountered. Signed-off-by: Ritvik Budhiraja <rbudhiraja@microsoft.com> Reported-by: kernel test robot <lkp@intel.com> Reported-by: Dan Carpenter <error27@gmail.com> Closes: https://lore.kernel.org/r/202311110815.UJaeU3Tt-lkp@intel.com/ --- fs/smb/client/sess.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)