From: Paulo Alcantara pc@cjr.nz
stable inclusion from linux-4.19.163 commit ba54b13c835609b3976714d3dde010c57d0fe23e
--------------------------------
commit 212253367dc7b49ed3fc194ce71b0992eacaecf2 upstream.
This patch fixes a potential use-after-free bug in cifs_echo_request().
For instance,
thread 1 -------- cifs_demultiplex_thread() clean_demultiplex_info() kfree(server)
thread 2 (workqueue) -------- apic_timer_interrupt() smp_apic_timer_interrupt() irq_exit() __do_softirq() run_timer_softirq() call_timer_fn() cifs_echo_request() <- use-after-free in server ptr
Signed-off-by: Paulo Alcantara (SUSE) pc@cjr.nz CC: Stable stable@vger.kernel.org Reviewed-by: Ronnie Sahlberg lsahlber@redhat.com Signed-off-by: Steve French stfrench@microsoft.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Yang Yingliang yangyingliang@huawei.com Signed-off-by: Cheng Jian cj.chengjian@huawei.com --- fs/cifs/connect.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index d3bdf8c418f9..423bc5b481e4 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -777,6 +777,8 @@ static void clean_demultiplex_info(struct TCP_Server_Info *server) list_del_init(&server->tcp_ses_list); spin_unlock(&cifs_tcp_ses_lock);
+ cancel_delayed_work_sync(&server->echo); + spin_lock(&GlobalMid_Lock); server->tcpStatus = CifsExiting; spin_unlock(&GlobalMid_Lock);