summaryrefslogtreecommitdiffstats
path: root/fs/cifs/cifssmb.c
diff options
context:
space:
mode:
authorChristopher Oo <t-chriso@microsoft.com>2015-06-26 01:10:48 +0200
committerSteve French <smfrench@gmail.com>2015-08-20 17:19:25 +0200
commit5fb4e288a025af1abc5c67ecebf30fbf6b3edad1 (patch)
tree751d20a93eb2f92415213fc068e6daa95e839119 /fs/cifs/cifssmb.c
parentUpdate cifs version number (diff)
downloadlinux-5fb4e288a025af1abc5c67ecebf30fbf6b3edad1.tar.xz
linux-5fb4e288a025af1abc5c67ecebf30fbf6b3edad1.zip
cifs: Fix use-after-free on mid_q_entry
With CIFS_DEBUG_2 enabled, additional debug information is tracked inside each mid_q_entry struct, however cifs_save_when_sent may use the mid_q_entry after it has been freed from the appropriate callback if the transport layer has very low latency. Holding the srv_mutex fixes this use-after-free, as cifs_save_when_sent is called while the srv_mutex is held while the request is sent. Signed-off-by: Christopher Oo <t-chriso@microsoft.com>
Diffstat (limited to 'fs/cifs/cifssmb.c')
-rw-r--r--fs/cifs/cifssmb.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index 672ef35c9f73..90b4f9f7de66 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -696,7 +696,9 @@ cifs_echo_callback(struct mid_q_entry *mid)
{
struct TCP_Server_Info *server = mid->callback_data;
+ mutex_lock(&server->srv_mutex);
DeleteMidQEntry(mid);
+ mutex_unlock(&server->srv_mutex);
add_credits(server, 1, CIFS_ECHO_OP);
}
@@ -1572,7 +1574,9 @@ cifs_readv_callback(struct mid_q_entry *mid)
}
queue_work(cifsiod_wq, &rdata->work);
+ mutex_lock(&server->srv_mutex);
DeleteMidQEntry(mid);
+ mutex_unlock(&server->srv_mutex);
add_credits(server, 1, 0);
}
@@ -2032,6 +2036,7 @@ cifs_writev_callback(struct mid_q_entry *mid)
{
struct cifs_writedata *wdata = mid->callback_data;
struct cifs_tcon *tcon = tlink_tcon(wdata->cfile->tlink);
+ struct TCP_Server_Info *server = tcon->ses->server;
unsigned int written;
WRITE_RSP *smb = (WRITE_RSP *)mid->resp_buf;
@@ -2068,7 +2073,9 @@ cifs_writev_callback(struct mid_q_entry *mid)
}
queue_work(cifsiod_wq, &wdata->work);
+ mutex_lock(&server->srv_mutex);
DeleteMidQEntry(mid);
+ mutex_unlock(&server->srv_mutex);
add_credits(tcon->ses->server, 1, 0);
}