From: Ritvik Budhiraja <rbudhiraja@microsoft.com>
Date: Tue, 21 Nov 2023 13:43:47 +0000 (+0530)
Subject: cifs: fix use after free for iface while disabling secondary channels
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=a15ccef82d3de9a37dc25898c60a394209368dc8;p=linux.git

cifs: fix use after free for iface while disabling secondary channels

We were deferencing iface after it has been released. Fix is to
release after all dereference instances have been encountered.

Signed-off-by: Ritvik Budhiraja <rbudhiraja@microsoft.com>
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Closes: https://lore.kernel.org/r/202311110815.UJaeU3Tt-lkp@intel.com/
Signed-off-by: Steve French <stfrench@microsoft.com>
---

diff --git a/fs/smb/client/sess.c b/fs/smb/client/sess.c
index 8b2d7c1ca4284..816e01c5589b4 100644
--- a/fs/smb/client/sess.c
+++ b/fs/smb/client/sess.c
@@ -332,10 +332,10 @@ cifs_disable_secondary_channels(struct cifs_ses *ses)
 
 		if (iface) {
 			spin_lock(&ses->iface_lock);
-			kref_put(&iface->refcount, release_iface);
 			iface->num_channels--;
 			if (iface->weight_fulfilled)
 				iface->weight_fulfilled--;
+			kref_put(&iface->refcount, release_iface);
 			spin_unlock(&ses->iface_lock);
 		}