Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp3702754pxp; Wed, 23 Mar 2022 04:17:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy6lrZyBECeANjn8WavhLTdXvKxMPVi+ePJZ/TLB351jUUwIOcJ+Qgp7xAWwTe8XcoeVLv8 X-Received: by 2002:a17:90b:3882:b0:1c6:7cf9:8a23 with SMTP id mu2-20020a17090b388200b001c67cf98a23mr5275818pjb.21.1648034252943; Wed, 23 Mar 2022 04:17:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648034252; cv=none; d=google.com; s=arc-20160816; b=IHT0bZHQGkbMLgXooHWEyjBnjJEwBEIBCo8xR4MANkK6nTwXIiAA54cqQjJmCpnOou s7Umwq0VIDq1hJNgjxYqOF9bPSxcas+6aBgP6S/yXvD/R5T8ATAAeNCBYJD2oSkG9fzG uPdK7EW0DaCDFSTDnXBCMq4wmmBjBLFK73O+d/KAqdScEO0cXevF2WsPwMCWyaqJKUYR St3vH7mJfp6M8lKwdIW2YJ9siujecLortWlReA0XJbLh+8H1L+RK1P2AIX9MTnJdOkPC SAlDccTKKhmObAY4CjHFZyYS60HxjU4n/jwJz8v+BHemwjJEaG0ylnOd8RB3pH/gOpQX H0/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=pc/hvVo0/6NKpglRsU7c5DEB6PgMyaUIQfdPH5do0+I=; b=tzFblqMzJ3S3oliaYtzX63JYi2KiPEGuJPRTZQULKESRNVF7ZGtHL1bl0Mw0VdTf7+ gUi6yqkey6fxOM2TKKtrtEDGWIePFuNDbwtbCb/Hj33x7/nW++nr9J/q+hESQ34oL0L7 IpOBGXEGGxqpwTb9+iz/Ln5exNfeCPDzOHJFZQX7yMDkoIsaXyc8G7rBHtbdPPPWwCGL c506+tcyJ0dHeAIKvOGRoZQvnpOBe7GridL22lS383yr/2EXmnbO60wEHFRRWnSB0S4z pjuVz0YZ4x3jSpfrur9wBvoD9BY7xGAhnEp9VI+R70nj63R8h35NyGdedYM2D0uUqLhM U92g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b="B8/vZ43e"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e19-20020a170902e0d300b00153b2d1649fsi14456165pla.167.2022.03.23.04.17.14; Wed, 23 Mar 2022 04:17:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b="B8/vZ43e"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241777AbiCWEWD (ORCPT + 99 others); Wed, 23 Mar 2022 00:22:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50080 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229446AbiCWEWC (ORCPT ); Wed, 23 Mar 2022 00:22:02 -0400 Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BFC8470870; Tue, 22 Mar 2022 21:20:33 -0700 (PDT) Received: by mail-lf1-x136.google.com with SMTP id w7so701405lfd.6; Tue, 22 Mar 2022 21:20:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pc/hvVo0/6NKpglRsU7c5DEB6PgMyaUIQfdPH5do0+I=; b=B8/vZ43epAmy3zm8teeKI/qHOROvXFw2pqqi7vPAPsEBeqdMz8Pt+h2wZ75zku3TYT WbFHYje2B7Eya5XOrU0sGzEfJjtzxRE93umNgv0tFao6nRnN/QmNlr5CwVxFsI93yrko Tpmsc2fYdj/G7lzLS+knpFvtAmnbzsj+rXPPPleQHeB5Pa3NzRK0le7btPS3JN/L+pZw IOSWaV0xPtckwXx7Uy0KFi2gzLl5BdtQGDcuUwWzJzvnS/byEQ1G1I1gaNI6gGDZQfhe S6slYlZOiCR/YWzOPr6PtjElWmwZTS/9TPCEJswqoTSI7biWZ6b0VX8poP9b2E5q/tY4 xQMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pc/hvVo0/6NKpglRsU7c5DEB6PgMyaUIQfdPH5do0+I=; b=CwL6vMt4k1eBANIpumMOIhKspY49mT2f1bjjJE3QBim+jrLAbYKLcqih4gwPqb6sWz kD5GZV/sxd4ML0FhqcfHnyE+NnsfQpI/Yso/57pXI0L5xwJTcMHPZCogZymTpOEB1yuh I3I5tWnNVH54dkJiWAWl5dvAhD8VJJkjcZV4ZQbFfKlADm50g/Z296viatEmgZL/nF/0 zFll4jE8/2wafDZLrFyFegh1ilZGQiizE2a35hHYWbwEBQ6MFKvrMNGjbmfsAOQU//JC 3YCStg4r+iJZiB1dSufxaeYTS6QLzv0BsswTPAkAM2hEH/rNnVZ+5nj4PLKHx0Y0JMhg AtoQ== X-Gm-Message-State: AOAM532wSEqb1MHbasdLodBGxYjNn0IgBx7x+jpL833TJ9NLjoDaXKDC pNRD/beV9NPDFMcSMzoY4WKihT619y4V+fI+U/k= X-Received: by 2002:a05:6512:b19:b0:446:f1c6:81bd with SMTP id w25-20020a0565120b1900b00446f1c681bdmr20966035lfu.320.1648009232002; Tue, 22 Mar 2022 21:20:32 -0700 (PDT) MIME-Version: 1.0 References: <20220320135015.19794-1-xiam0nd.tong@gmail.com> In-Reply-To: From: Steve French Date: Tue, 22 Mar 2022 23:20:21 -0500 Message-ID: Subject: Re: [PATCH] cifs: fix incorrect use of list iterator after the loop To: Shyam Prasad N Cc: Xiaomeng Tong , CIFS , Shyam Prasad N , samba-technical , LKML , Steven French , jakobkoschel@gmail.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org tentatively merged into cifs-2.6.git for-next pending additional testing Also added cc:stable 5.17 On Tue, Mar 22, 2022 at 1:09 AM Shyam Prasad N via samba-technical wrote: > > On Mon, Mar 21, 2022 at 3:50 PM Xiaomeng Tong wrote: > > > > The bug is here: > > if (!tcon) { > > resched = true; > > list_del_init(&ses->rlist); > > cifs_put_smb_ses(ses); > > > > Because the list_for_each_entry() never exits early (without any > > break/goto/return inside the loop), the iterator 'ses' after the > > loop will always be an pointer to a invalid struct containing the > > HEAD (&pserver->smb_ses_list). As a result, the uses of 'ses' above > > will lead to a invalid memory access. > > > > The original intention should have been to walk each entry 'ses' in > > '&tmp_ses_list', delete '&ses->rlist' and put 'ses'. So fix it with > > a list_for_each_entry_safe(). > > > > Fixes: 3663c9045f51a ("cifs: check reconnects for channels of active tcons too") > > Signed-off-by: Xiaomeng Tong > > --- > > fs/cifs/smb2pdu.c | 6 ++++-- > > 1 file changed, 4 insertions(+), 2 deletions(-) > > > > diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c > > index 7e7909b1ae11..f82d6fcb5c64 100644 > > --- a/fs/cifs/smb2pdu.c > > +++ b/fs/cifs/smb2pdu.c > > @@ -3858,8 +3858,10 @@ void smb2_reconnect_server(struct work_struct *work) > > tcon = kzalloc(sizeof(struct cifs_tcon), GFP_KERNEL); > > if (!tcon) { > > resched = true; > > - list_del_init(&ses->rlist); > > - cifs_put_smb_ses(ses); > > + list_for_each_entry_safe(ses, ses2, &tmp_ses_list, rlist) { > > + list_del_init(&ses->rlist); > > + cifs_put_smb_ses(ses); > > + } > > goto done; > > } > > > > > > base-commit: 14702b3b2438e2f2d07ae93b5d695c166e5c83d1 > > -- > > 2.17.1 > > > > Hi Xiaomeng, > Good catch. > Reviewed-by: Shyam Prasad N > > Steve, This one needs to be marked for CC stable 5.17+ > > -- > Regards, > Shyam > -- Thanks, Steve