| Message ID | YFNR1sVU2mIgxNma@mwanda (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | cifsd: Fix a use after free on error path | expand |
On (21/03/18 16:12), Dan Carpenter wrote: > The ksmbd_free_work_struct() frees "work" so we need to swap the order > of these two function calls to avoid a use after free. > > Fixes: cabcebc31de4 ("cifsd: introduce SMB3 kernel server") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Thanks. Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com> -ss
diff --git a/fs/cifsd/oplock.c b/fs/cifsd/oplock.c index 6c3dbc71134e..f694c14be0df 100644 --- a/fs/cifsd/oplock.c +++ b/fs/cifsd/oplock.c @@ -638,8 +638,8 @@ static void __smb2_oplock_break_noti(struct work_struct *wk) if (allocate_oplock_break_buf(work)) { ksmbd_err("smb2_allocate_rsp_buf failed! "); atomic_dec(&conn->r_count); - ksmbd_free_work_struct(work); ksmbd_fd_put(work, fp); + ksmbd_free_work_struct(work); return; }
The ksmbd_free_work_struct() frees "work" so we need to swap the order of these two function calls to avoid a use after free. Fixes: cabcebc31de4 ("cifsd: introduce SMB3 kernel server") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- fs/cifsd/oplock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)