cifs: fix use after free for iface while disabling secondary channels

We were deferencing iface after it has been released. Fix is to release after all dereference instances have been encountered. Signed-off-by: Ritvik Budhiraja <rbudhiraja@microsoft.com> Reported-by: kernel test robot <lkp@intel.com> Reported-by: Dan Carpenter <error27@gmail.com> Closes: https://lore.kernel.org/r/202311110815.UJaeU3Tt-lkp@intel.com/Signed-off-by: Steve French <stfrench@microsoft.com>

cifs: fix use after free for iface while disabling secondary channels
We were deferencing iface after it has been released. Fix is to release after all dereference instances have been encountered. Signed-off-by: Ritvik Budhiraja <rbudhiraja@microsoft.com> Reported-by: kernel test robot <lkp@intel.com> Reported-by: Dan Carpenter <error27@gmail.com> Closes: https://lore.kernel.org/r/202311110815.UJaeU3Tt-lkp@intel.com/Signed-off-by: Steve French <stfrench@microsoft.com>
a15ccef8 · Ritvik Budhiraja · Steve French · 98b1cc82 · a15ccef8
Commit a15ccef8 authored Nov 21, 2023 by Ritvik Budhiraja Committed by Steve French Nov 23, 2023
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

fs/smb/client/sess.c fs/smb/client/sess.c +1 -1

No files found.
--- a/fs/smb/client/sess.c
+++ b/fs/smb/client/sess.c
@@ -332,10 +332,10 @@ cifs_disable_secondary_channels(struct cifs_ses *ses)

 		if (iface) {
 			spin_lock(&ses->iface_lock);
-			kref_put(&iface->refcount, release_iface);
 			iface->num_channels--;
 			if (iface->weight_fulfilled)
 				iface->weight_fulfilled--;
+			kref_put(&iface->refcount, release_iface);
 			spin_unlock(&ses->iface_lock);
 		}