tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

smb: client: avoid double-free in smbd_free_send_io() after smbd_send_batch_flush()

smbd_send_batch_flush() already calls smbd_free_send_io(),
so we should not call it again after smbd_post_send()
moved it to the batch list.

Reported-by: Ruikai Peng <ruikai@pwno.io>
Closes: https://lore.kernel.org/linux-cifs/CAFD3drNOSJ05y3A+jNXSDxW-2w09KHQ0DivhxQ_pcc7immVVOQ@mail.gmail.com/
Fixes: 21538121efe6 ("smb: client: make use of smbdirect_socket.send_io.bcredits")
Cc: stable@kernel.org
Cc: Steve French <smfrench@gmail.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: Long Li <longli@microsoft.com>
Cc: Ruikai Peng <ruikai@pwno.io>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Cc: security@kernel.org
Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Tested-by: Ruikai Peng <ruikai@pwno.io>
Signed-off-by: Steve French <stfrench@microsoft.com>

authored by

Stefan Metzmacher and committed by
Steve French 27b7c3e9 3e298897

+8
+8
fs/smb/client/smbdirect.c
··· 1551 1551 1552 1552 rc = smbd_post_send(sc, batch, request); 1553 1553 if (!rc) { 1554 + /* 1555 + * From here request is moved to batch 1556 + * and we should not free it explicitly. 1557 + */ 1558 + 1554 1559 if (batch != &_batch) 1555 1560 return 0; 1556 1561 1557 1562 rc = smbd_send_batch_flush(sc, batch, true); 1558 1563 if (!rc) 1559 1564 return 0; 1565 + 1566 + goto err_flush; 1560 1567 } 1561 1568 1562 1569 err_dma: 1563 1570 smbd_free_send_io(request); 1564 1571 1572 + err_flush: 1565 1573 err_alloc: 1566 1574 atomic_inc(&sc->send_io.credits.count); 1567 1575 wake_up(&sc->send_io.credits.wait_queue);