| Message ID | Y3dw8KLm7MDgACCY@kili (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | cifs: Use after free in debug code | expand |
Dan Carpenter <error27@gmail.com> writes: > This debug code dereferences "old_iface" after it was already freed by > the call to release_iface(). Re-order the debugging to avoid this > issue. > > Fixes: b54034a73baf ("cifs: during reconnect, update interface if necessary") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > fs/cifs/sess.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
merged into cifs-2.6.git for-next On Fri, Nov 18, 2022 at 8:48 AM Paulo Alcantara via samba-technical <samba-technical@lists.samba.org> wrote: > > Dan Carpenter <error27@gmail.com> writes: > > > This debug code dereferences "old_iface" after it was already freed by > > the call to release_iface(). Re-order the debugging to avoid this > > issue. > > > > Fixes: b54034a73baf ("cifs: during reconnect, update interface if necessary") > > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > --- > > fs/cifs/sess.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz> >
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c index 92e4278ec35d..9e7d9f0baa18 100644 --- a/fs/cifs/sess.c +++ b/fs/cifs/sess.c @@ -302,14 +302,14 @@ cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server) /* now drop the ref to the current iface */ if (old_iface && iface) { - kref_put(&old_iface->refcount, release_iface); cifs_dbg(FYI, "replacing iface: %pIS with %pIS\n", &old_iface->sockaddr, &iface->sockaddr); - } else if (old_iface) { kref_put(&old_iface->refcount, release_iface); + } else if (old_iface) { cifs_dbg(FYI, "releasing ref to iface: %pIS\n", &old_iface->sockaddr); + kref_put(&old_iface->refcount, release_iface); } else { WARN_ON(!iface); cifs_dbg(FYI, "adding new iface: %pIS\n", &iface->sockaddr);
This debug code dereferences "old_iface" after it was already freed by the call to release_iface(). Re-order the debugging to avoid this issue. Fixes: b54034a73baf ("cifs: during reconnect, update interface if necessary") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- fs/cifs/sess.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)