[PATCH 008/308] cifsd: Fix a use after free on error path

From: Dan Carpenter dan.carpenter@oracle.com

mainline inclusion from mainline-5.15-rc1 commit a2ba2709f5e465b316ef1f18605190d249847aad category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I60T7G CVE: NA

Reference: https://git.kernel.org/torvalds/linux/c/a2ba2709f5e4

-------------------------------

The ksmbd_free_work_struct() frees "work" so we need to swap the order of these two function calls to avoid a use after free.

Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Reviewed-by: Sergey Senozhatsky sergey.senozhatsky@gmail.com Signed-off-by: Namjae Jeon namjae.jeon@samsung.com Signed-off-by: Steve French stfrench@microsoft.com Signed-off-by: Jason Yan yanaijie@huawei.com Signed-off-by: Zhong Jinghua zhongjinghua@huawei.com --- fs/cifsd/oplock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/cifsd/oplock.c b/fs/cifsd/oplock.c index 6c3dbc71134e..f694c14be0df 100644 --- a/fs/cifsd/oplock.c +++ b/fs/cifsd/oplock.c @@ -638,8 +638,8 @@ static void __smb2_oplock_break_noti(struct work_struct *wk) if (allocate_oplock_break_buf(work)) { ksmbd_err("smb2_allocate_rsp_buf failed! "); atomic_dec(&conn->r_count); - ksmbd_free_work_struct(work); ksmbd_fd_put(work, fp); + ksmbd_free_work_struct(work); return; }