cifs: fix panic in smb2_reconnect (0ff2b018) · Commits · e / devices / android_kernel_fairphone_FP5

RH Bugzilla: 1702264 We need to protect so that the call to smb2_reconnect() in smb2_reconnect_server() does not end up freeing the session because it can lead to a use after free and crash. Reviewed-by:

Aurelien Aptel <aaptel@suse.com> Cc: <stable@vger.kernel.org> Signed-off-by:

Ronnie Sahlberg <lsahlber@redhat.com> Signed-off-by:

Steve French <stfrench@microsoft.com> Reviewed-by:

Pavel Shilovsky <pshilov@microsoft.com>

fs/cifs/smb2pdu.c

+9 −1

Original line number	Diff line number	Diff line
		@@ -3114,9 +3114,14 @@ void smb2_reconnect_server(struct work_struct *work)
		tcon_exist = true;
		}
		}
		/*
		* IPC has the same lifetime as its session and uses its
		* refcount.
		*/
		if (ses->tcon_ipc && ses->tcon_ipc->need_reconnect) {
		list_add_tail(&ses->tcon_ipc->rlist, &tmp_list);
		tcon_exist = true;
		ses->ses_count++;
		}
		}
		/*
		@@ -3135,6 +3140,9 @@ void smb2_reconnect_server(struct work_struct *work)
		else
		resched = true;
		list_del_init(&tcon->rlist);
		if (tcon->ipc)
		cifs_put_smb_ses(tcon->ses);
		else
		cifs_put_tcon(tcon);
		}