Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp2282731pxp; Mon, 21 Mar 2022 15:49:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyI4FFJhHHP8f6J2o6TtOiziRCHk+TZHbz4KXN050KJVgtRX73DmybIlBJ+/KgIbyYGYBci X-Received: by 2002:a17:902:e94e:b0:154:3a4:c5e8 with SMTP id b14-20020a170902e94e00b0015403a4c5e8mr15288137pll.19.1647902989054; Mon, 21 Mar 2022 15:49:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647902989; cv=none; d=google.com; s=arc-20160816; b=cLsQH2F+huUTrZYon94jXoM0XvFak/fg2CD3O0H1hgO8HIW3I47+cmy3LuYIA48gAq loLJVIXZdqIHldnaf4uTshKNnDHO4//xpurZQkPA7t+9LHGXqTcnuCPzkC8xQwrLYlIJ sFm5YrutB18uGpMZjh3sVsmD2fXyU72aopPuCe3njO/G+HxoPH7v5qPH6ddOASheI/r6 z/My+iYux1t9Ws5LNJPn6+Ys3QsxIlD16QcWHAs03c/FWbV+/QV90Gn8p5RiPHYfL0fb xZatzVDQpwz88fKTftuN8xVrRY7ST3NJ1oCy8qMMcqOAgBS4E6Dsmyr/8NxBxalaw5i0 DOzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from :dkim-signature; bh=3gEfZ5eoe+zbYqKcw6UvYGVoZnHKD5O1CTE0CBSi2mE=; b=JG2SU9gGkwgh6lfemr0XDBhOQwpHlxVx6ja81+2KDnML6oOwGQX60swfFpm1glUveA 81V6Hs6p2HAG52lYNmVbmkgigoz2dgg7EnAaInB4cSlnK3ZiHT1zJPWJOMf2e2j54b7D JaGZwwRJ33p5rvbILOKW/zVtqJZ6yFwGal84ziHDLnM7Q7di+UCiWUFUqEEMaQEB/Yca TADGBFr/tTtivwB2DTaTDHzlHKm00irMS3XQni1kFilmdZHY98MEzajvDeBlKfrL6wZt ptD/O4EUPyLdImzyhJRHw8kaU4AZhs2K5lJoUCo6wj/8pZ8UbNKI0tUWD7R2QaE5NheK QyDQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=nsghIvdv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id c12-20020a63ea0c000000b003816043f175si15094775pgi.874.2022.03.21.15.49.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Mar 2022 15:49:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=nsghIvdv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id AE1EB3F5855; Mon, 21 Mar 2022 14:57:40 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245190AbiCTNvt (ORCPT + 99 others); Sun, 20 Mar 2022 09:51:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49226 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232852AbiCTNvt (ORCPT ); Sun, 20 Mar 2022 09:51:49 -0400 Received: from mail-pf1-x433.google.com (mail-pf1-x433.google.com [IPv6:2607:f8b0:4864:20::433]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 55FE216F6CE; Sun, 20 Mar 2022 06:50:26 -0700 (PDT) Received: by mail-pf1-x433.google.com with SMTP id g19so13386869pfc.9; Sun, 20 Mar 2022 06:50:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id; bh=3gEfZ5eoe+zbYqKcw6UvYGVoZnHKD5O1CTE0CBSi2mE=; b=nsghIvdv68eBtZZ0SDUbUPSL5nju06yT5n/GjGTKOfgqJb8EWucdgLSR2hXoNVrZvJ UBPJMiTChOHP8fwFwAEsM/dEgurTQBf6AsRNJSSDwBImjhQiKBX2XWRhDFLvFkZ3/EaR id9Re3UivtKF0oUzrRbr2lwyTGJvyjieVnvSzXT//V1i/S0EImyu0YiHa0qJohmuSATE IgyGsIgsh6wZ38NKqRVykWvayq8J9XVzS825FxS6tDa/DYb0FhENjLwK7aw0L7/xo/rY LVcApfnbn2vxR9wQuqwmSNBDeMoHCGYXDxt95jNUC6aoXf0nKxDBEeZ/oJVo7kl6Ux5s WZEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=3gEfZ5eoe+zbYqKcw6UvYGVoZnHKD5O1CTE0CBSi2mE=; b=j2HCD6HyiPDqCy+72Ju3eOT0+b6FxqKn3yRWq3JRfHkI9iKEJlhE6mXT2ryLGESphi isnsBXwF5oKsaNZmRyZSTAec9NJHL2del6lZK8jXspxL3ryh+5/WgkMD94XrQjjrp17q x6egTL4wDocCpqSNfvGU0WHjFSSoEaOowE2iV9i+i52ria76AFlmT2KidO1G8Zyevly8 SFQm1fbU3DWu8daYd0+4yXzJfTsNZABVp6QurJDf6jbm5x3QTM6FIJcSKc/gldagqMFo V5DBILyL9gaTJeXOISzZTSPopTxqo573nHSsRcgrvfRbHRug2abMJJTxsxZUgzJuUNa8 dRpQ== X-Gm-Message-State: AOAM533yzf3sQ7Uk2xMnoVj3hqPvwR0v0oDmqiXmfD3J3Myo8bQZbSAH fP85+6ePO4bl1uPLWErvam8= X-Received: by 2002:a05:6a00:8cc:b0:4bc:3def:b616 with SMTP id s12-20020a056a0008cc00b004bc3defb616mr19519125pfu.18.1647784225783; Sun, 20 Mar 2022 06:50:25 -0700 (PDT) Received: from localhost.localdomain ([36.24.165.243]) by smtp.googlemail.com with ESMTPSA id q17-20020aa79831000000b004f769d0c323sm16473559pfl.100.2022.03.20.06.50.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 20 Mar 2022 06:50:25 -0700 (PDT) From: Xiaomeng Tong To: sfrench@samba.org Cc: sprasad@microsoft.com, linux-cifs@vger.kernel.org, samba-technical@lists.samba.org, linux-kernel@vger.kernel.org, jakobkoschel@gmail.com, Xiaomeng Tong Subject: [PATCH] cifs: fix incorrect use of list iterator after the loop Date: Sun, 20 Mar 2022 21:50:15 +0800 Message-Id: <20220320135015.19794-1-xiam0nd.tong@gmail.com> X-Mailer: git-send-email 2.17.1 X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The bug is here: if (!tcon) { resched = true; list_del_init(&ses->rlist); cifs_put_smb_ses(ses); Because the list_for_each_entry() never exits early (without any break/goto/return inside the loop), the iterator 'ses' after the loop will always be an pointer to a invalid struct containing the HEAD (&pserver->smb_ses_list). As a result, the uses of 'ses' above will lead to a invalid memory access. The original intention should have been to walk each entry 'ses' in '&tmp_ses_list', delete '&ses->rlist' and put 'ses'. So fix it with a list_for_each_entry_safe(). Fixes: 3663c9045f51a ("cifs: check reconnects for channels of active tcons too") Signed-off-by: Xiaomeng Tong --- fs/cifs/smb2pdu.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 7e7909b1ae11..f82d6fcb5c64 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -3858,8 +3858,10 @@ void smb2_reconnect_server(struct work_struct *work) tcon = kzalloc(sizeof(struct cifs_tcon), GFP_KERNEL); if (!tcon) { resched = true; - list_del_init(&ses->rlist); - cifs_put_smb_ses(ses); + list_for_each_entry_safe(ses, ses2, &tmp_ses_list, rlist) { + list_del_init(&ses->rlist); + cifs_put_smb_ses(ses); + } goto done; } base-commit: 14702b3b2438e2f2d07ae93b5d695c166e5c83d1 -- 2.17.1