diff mbox series

cifs: fix use after free for iface while disabling secondary channels

Message ID 20231121134347.3117-1-rbudhiraja@microsoft.com (mailing list archive)
State New, archived
Headers show
Series cifs: fix use after free for iface while disabling secondary channels | expand

Commit Message

Ritvik Budhiraja Nov. 21, 2023, 1:43 p.m. UTC 
We were deferencing iface after it has been released. Fix is to
release after all dereference instances have been encountered.

Signed-off-by: Ritvik Budhiraja <rbudhiraja@microsoft.com>
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202311110815.UJaeU3Tt-lkp@intel.com/
---
 fs/smb/client/sess.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Steve French Nov. 22, 2023, 1:48 a.m. UTC | #1 
tentatively merged into for-next pending testing

On Tue, Nov 21, 2023 at 7:44 AM Ritvik Budhiraja
<budhirajaritviksmb@gmail.com> wrote:
>
> We were deferencing iface after it has been released. Fix is to
> release after all dereference instances have been encountered.
>
> Signed-off-by: Ritvik Budhiraja <rbudhiraja@microsoft.com>
> Reported-by: kernel test robot <lkp@intel.com>
> Reported-by: Dan Carpenter <error27@gmail.com>
> Closes: https://lore.kernel.org/r/202311110815.UJaeU3Tt-lkp@intel.com/
> ---
>  fs/smb/client/sess.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/smb/client/sess.c b/fs/smb/client/sess.c
> index 8b2d7c1ca428..816e01c5589b 100644
> --- a/fs/smb/client/sess.c
> +++ b/fs/smb/client/sess.c
> @@ -332,10 +332,10 @@ cifs_disable_secondary_channels(struct cifs_ses *ses)
>
>                 if (iface) {
>                         spin_lock(&ses->iface_lock);
> -                       kref_put(&iface->refcount, release_iface);
>                         iface->num_channels--;
>                         if (iface->weight_fulfilled)
>                                 iface->weight_fulfilled--;
> +                       kref_put(&iface->refcount, release_iface);
>                         spin_unlock(&ses->iface_lock);
>                 }
>
> --
> 2.34.1
>
diff mbox series

Patch

diff --git a/fs/smb/client/sess.c b/fs/smb/client/sess.c
index 8b2d7c1ca428..816e01c5589b 100644
--- a/fs/smb/client/sess.c
+++ b/fs/smb/client/sess.c
@@ -332,10 +332,10 @@  cifs_disable_secondary_channels(struct cifs_ses *ses)
 
 		if (iface) {
 			spin_lock(&ses->iface_lock);
-			kref_put(&iface->refcount, release_iface);
 			iface->num_channels--;
 			if (iface->weight_fulfilled)
 				iface->weight_fulfilled--;
+			kref_put(&iface->refcount, release_iface);
 			spin_unlock(&ses->iface_lock);
 		}