cifs: fix use after free for iface while disabling secondary channels

We were deferencing iface after it has been released. Fix is to
release after all dereference instances have been encountered.

Signed-off-by: Ritvik Budhiraja <rbudhiraja@microsoft.com>
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202311110815.UJaeU3Tt-lkp@intel.com/
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/client/sess.c b/fs/smb/client/sess.c
index 8b2d7c1ca4284c76cee2154140eaab89fdb8f4df..816e01c5589b450a9a5b6887c99aec4f48a5f361 100644 (file)
--- a/fs/smb/client/sess.c
+++ b/fs/smb/client/sess.c
@@ -332,10 +332,10 @@ cifs_disable_secondary_channels(struct cifs_ses *ses)
 
                if (iface) {
                        spin_lock(&ses->iface_lock);
-                       kref_put(&iface->refcount, release_iface);
                        iface->num_channels--;
                        if (iface->weight_fulfilled)
                                iface->weight_fulfilled--;
+                       kref_put(&iface->refcount, release_iface);
                        spin_unlock(&ses->iface_lock);
                }