From a2ba2709f5e465b316ef1f18605190d249847aad Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Thu, 18 Mar 2021 16:12:54 +0300
Subject: [PATCH] cifsd: Fix a use after free on error path

The ksmbd_free_work_struct() frees "work" so we need to swap the order
of these two function calls to avoid a use after free.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
---
 fs/cifsd/oplock.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/cifsd/oplock.c b/fs/cifsd/oplock.c
index 6c3dbc71134e4..f694c14be0df0 100644
--- a/fs/cifsd/oplock.c
+++ b/fs/cifsd/oplock.c
@@ -638,8 +638,8 @@ static void __smb2_oplock_break_noti(struct work_struct *wk)
 	if (allocate_oplock_break_buf(work)) {
 		ksmbd_err("smb2_allocate_rsp_buf failed! ");
 		atomic_dec(&conn->r_count);
-		ksmbd_free_work_struct(work);
 		ksmbd_fd_put(work, fp);
+		ksmbd_free_work_struct(work);
 		return;
 	}
 
-- 
2.30.2