Commit a6c015b7 authored by Stefan Metzmacher's avatar Stefan Metzmacher Committed by Steve French
Browse files

smb: server: let recv_done() avoid touching data_transfer after cleanup/move 



Calling enqueue_reassembly() and wake_up_interruptible(&t->wait_reassembly_queue)
or put_receive_buffer() means the recvmsg/data_transfer pointer might
get re-used by another thread, which means these should be
the last operations before calling return.

Cc: Namjae Jeon <linkinjeon@kernel.org>
Cc: Steve French <smfrench@gmail.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Fixes: 0626e664 ("cifsd: add server handler for central processing and tranport layers")
Signed-off-by: default avatarStefan Metzmacher <metze@samba.org>
Acked-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent cfe76fdb

fs/smb/server/transport_rdma.c

+7 −5
Original line number Diff line number Diff line
@@ -581,16 +581,11 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) 
			else

				t->full_packet_received = true;



			enqueue_reassembly(t, recvmsg, (int)data_length);

			wake_up_interruptible(&t->wait_reassembly_queue);



			spin_lock(&t->receive_credit_lock);

			receive_credits = --(t->recv_credits);

			avail_recvmsg_count = t->count_avail_recvmsg;

			spin_unlock(&t->receive_credit_lock);

		} else {

			put_recvmsg(t, recvmsg);



			spin_lock(&t->receive_credit_lock);

			receive_credits = --(t->recv_credits);

			avail_recvmsg_count = ++(t->count_avail_recvmsg);
@@ -612,6 +607,13 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) 
		if (is_receive_credit_post_required(receive_credits, avail_recvmsg_count))

			mod_delayed_work(smb_direct_wq,

					 &t->post_recv_credits_work, 0);



		if (data_length) {

			enqueue_reassembly(t, recvmsg, (int)data_length);

			wake_up_interruptible(&t->wait_reassembly_queue);

		} else

			put_recvmsg(t, recvmsg);



		return;

	}

	}