Commit a2ba2709 authored Mar 18, 2021 by Dan Carpenter Committed by Steve French May 10, 2021

cifsd: Fix a use after free on error path



The ksmbd_free_work_struct() frees "work" so we need to swap the order
of these two function calls to avoid a use after free.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>
Signed-off-by: Steve French <stfrench@microsoft.com>

parent 8ef32967

fs/cifsd/oplock.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -638,8 +638,8 @@ static void __smb2_oplock_break_noti(struct work_struct *wk)
		if (allocate_oplock_break_buf(work)) {
		ksmbd_err("smb2_allocate_rsp_buf failed! ");
		atomic_dec(&conn->r_count);
		ksmbd_free_work_struct(work);
		ksmbd_fd_put(work, fp);
		ksmbd_free_work_struct(work);
		return;
		}