Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp2527108pxp; Mon, 21 Mar 2022 23:35:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwUDFnKJjVW6bxW5bCggNXhegr5zjuP+y0eJS4eBHkzEfi52FpSGrJP0wsRSuyakDmZeHgd X-Received: by 2002:a17:90a:a594:b0:1bc:5def:a652 with SMTP id b20-20020a17090aa59400b001bc5defa652mr3185250pjq.167.1647930919922; Mon, 21 Mar 2022 23:35:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647930919; cv=none; d=google.com; s=arc-20160816; b=zPqkBcL4AQHjAHKYktQROzR3zk5wUEtmN/oL/0q0jkwe9bYexq83E8SBF9pG7lPdcR 8gAzJY5igPMwyt/C6fzBIyeTtT+kQOkeI5YngXmpg/yGcXCDF5TNAchyk0OECtI+D9xc Mkfuu+ffodo0HmfWlnToLy2fTMect8ew9ZU4KCHjflVS58quFt0Q39VddUoJSfFi6gZL S1QrtDbfzXWPv7TnQ7atIqJqgVFQerjhytDxa0ZM2X+XPt8mAHj+DPwcT6Jp7p898eQg PmgiqBlJgJvK43HN7cbC/25+Ey2LHyiiA/Try++m3NWb7OTeRAmsV/KGAMdZ17fv1i9o DIHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=1hm+docfkUVqEam48lSJ/XtpRGXyQocEIR0nX5W2ZtM=; b=Y3F8oGGBKNESVDpOenctOVTPzybwvMJyrVOokMNS1nh20gzCt9liH4JRXEhoJByycL o+5sj3qkaBRccXQ939maDS3TKbsP2PjkHqjIdQBGOgLWUAv7PxhAFnVz9rV3RlCYGLmm ZEqU5etoBmxdhI1hmnwMsYw6lEiJS9/UQAfWbbQnfJzYorPa1u/Ccwcfr/dgxzf97Bvy g0Ekc7bqTrJsWUC6Pr9jVnG15MZg/fXnm4I2sKNW9RxBgA4O9E9Tprh9FMfwnRa7ybPF q4fPUxFKVBFm0ETWALFuYupibZou3Qfo/z/UePrAlPAH7c/aJurbRWMugUHkKABjaPJx zJUg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=VywcMOvE; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id i5-20020a63e905000000b003816043ee18si9889912pgh.13.2022.03.21.23.35.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Mar 2022 23:35:19 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=VywcMOvE; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id A702513D5E; Mon, 21 Mar 2022 23:07:50 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237006AbiCVGJJ (ORCPT + 99 others); Tue, 22 Mar 2022 02:09:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33394 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236972AbiCVGJD (ORCPT ); Tue, 22 Mar 2022 02:09:03 -0400 Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7890EDFA5; Mon, 21 Mar 2022 23:07:21 -0700 (PDT) Received: by mail-ej1-x62a.google.com with SMTP id yy13so34047660ejb.2; Mon, 21 Mar 2022 23:07:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1hm+docfkUVqEam48lSJ/XtpRGXyQocEIR0nX5W2ZtM=; b=VywcMOvEZFwLhpkST2+FlCVyLxNDV0cChbksFCwU8GKcB0RIFZRTZXsWrBSl6KqT4i PUZ/EeRnH/koriftEd/z89xhuf5wo4Gi68p05x221zllgBBYSPBJOIKmIXMSojLsMiId o8B7fswqMyzlAUiGzX0vV4RmxVFy9NlZ3gkU0q6A1mwwXEgh0sQ6uYaPasUq32rMX12j ugAmGJ9ZCyKPg+Sb496yHdkwhcf+o+vDVaAc09v423HDsALdDWOfUiN+mag7XnedL8HI 8HnZx5Jokft+D06Yj9NVXOvUYH5kKRYeJER9UFZZe4UNoxMwUeK7IGZX60BtL4bZxHlF 0mMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1hm+docfkUVqEam48lSJ/XtpRGXyQocEIR0nX5W2ZtM=; b=NzdpHmFTkVUPcdnfNEFcjrTC4RyDmP1+wmJRktXTv9CitynRNCL9EloNmj5QJdaWvd pFTIrPSC8xoSAqmlQ9T76+xvMx5eJkl+CAxamrGyO4EUq2tmsmMA1hXMn5LX1P6it/1N jcduJbYuPzsh1aImYmx/igixd+yWu40JZefGpzPjIztdyBfHPRPqDKC9ckmPHrWnwdjO H8wP5TnDJXx4KusAKRn5f/vCltRXFvmm4RVKusn1I/qmQpjg3Ft81rnTlfhsY7jYIbtO zmTkceqojijpcKKtI5vt3Jq44+hN3iAhDUFtS5LXozQb+9gH6jEujY4se34edsSNYM/y 1pvQ== X-Gm-Message-State: AOAM531S+YIJcUwvol0hXt8utE5asJJ06EC67SzhRyPlBISO83Elbq1n vGT2/ja+yBzHREnOZ+fURft4b3j/BSIPLqjYSjGe8qr4 X-Received: by 2002:a17:907:2ce3:b0:6df:d80f:ca1 with SMTP id hz3-20020a1709072ce300b006dfd80f0ca1mr13595196ejc.61.1647929239809; Mon, 21 Mar 2022 23:07:19 -0700 (PDT) MIME-Version: 1.0 References: <20220320135015.19794-1-xiam0nd.tong@gmail.com> In-Reply-To: <20220320135015.19794-1-xiam0nd.tong@gmail.com> From: Shyam Prasad N Date: Tue, 22 Mar 2022 11:37:08 +0530 Message-ID: Subject: Re: [PATCH] cifs: fix incorrect use of list iterator after the loop To: Xiaomeng Tong Cc: Steven French , sprasad@microsoft.com, CIFS , samba-technical , LKML , jakobkoschel@gmail.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 21, 2022 at 3:50 PM Xiaomeng Tong wrote: > > The bug is here: > if (!tcon) { > resched = true; > list_del_init(&ses->rlist); > cifs_put_smb_ses(ses); > > Because the list_for_each_entry() never exits early (without any > break/goto/return inside the loop), the iterator 'ses' after the > loop will always be an pointer to a invalid struct containing the > HEAD (&pserver->smb_ses_list). As a result, the uses of 'ses' above > will lead to a invalid memory access. > > The original intention should have been to walk each entry 'ses' in > '&tmp_ses_list', delete '&ses->rlist' and put 'ses'. So fix it with > a list_for_each_entry_safe(). > > Fixes: 3663c9045f51a ("cifs: check reconnects for channels of active tcons too") > Signed-off-by: Xiaomeng Tong > --- > fs/cifs/smb2pdu.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c > index 7e7909b1ae11..f82d6fcb5c64 100644 > --- a/fs/cifs/smb2pdu.c > +++ b/fs/cifs/smb2pdu.c > @@ -3858,8 +3858,10 @@ void smb2_reconnect_server(struct work_struct *work) > tcon = kzalloc(sizeof(struct cifs_tcon), GFP_KERNEL); > if (!tcon) { > resched = true; > - list_del_init(&ses->rlist); > - cifs_put_smb_ses(ses); > + list_for_each_entry_safe(ses, ses2, &tmp_ses_list, rlist) { > + list_del_init(&ses->rlist); > + cifs_put_smb_ses(ses); > + } > goto done; > } > > > base-commit: 14702b3b2438e2f2d07ae93b5d695c166e5c83d1 > -- > 2.17.1 > Hi Xiaomeng, Good catch. Reviewed-by: Shyam Prasad N Steve, This one needs to be marked for CC stable 5.17+ -- Regards, Shyam