Commit 0ff2b018 authored by Ronnie Sahlberg's avatar Ronnie Sahlberg Committed by Steve French

cifs: fix panic in smb2_reconnect

RH Bugzilla: 1702264

We need to protect so that the call to smb2_reconnect() in
smb2_reconnect_server() does not end up freeing the session
because it can lead to a use after free and crash.
Reviewed-by: default avatarAurelien Aptel <aaptel@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
Reviewed-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
parent d1fdb6d8
...@@ -3114,9 +3114,14 @@ void smb2_reconnect_server(struct work_struct *work) ...@@ -3114,9 +3114,14 @@ void smb2_reconnect_server(struct work_struct *work)
tcon_exist = true; tcon_exist = true;
} }
} }
/*
* IPC has the same lifetime as its session and uses its
* refcount.
*/
if (ses->tcon_ipc && ses->tcon_ipc->need_reconnect) { if (ses->tcon_ipc && ses->tcon_ipc->need_reconnect) {
list_add_tail(&ses->tcon_ipc->rlist, &tmp_list); list_add_tail(&ses->tcon_ipc->rlist, &tmp_list);
tcon_exist = true; tcon_exist = true;
ses->ses_count++;
} }
} }
/* /*
...@@ -3135,6 +3140,9 @@ void smb2_reconnect_server(struct work_struct *work) ...@@ -3135,6 +3140,9 @@ void smb2_reconnect_server(struct work_struct *work)
else else
resched = true; resched = true;
list_del_init(&tcon->rlist); list_del_init(&tcon->rlist);
if (tcon->ipc)
cifs_put_smb_ses(tcon->ses);
else
cifs_put_tcon(tcon); cifs_put_tcon(tcon);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment