From: Xiaomeng Tong Date: Sun, 20 Mar 2022 13:50:15 +0000 (+0800) Subject: cifs: fix incorrect use of list iterator after the loop X-Git-Tag: dma-mapping-5.19-2022-05-25~122^2~7 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=a96c94481f5993eac2271f9fb4d009b7dc076c24;p=users%2Fhch%2Fdma-mapping.git cifs: fix incorrect use of list iterator after the loop The bug is here: if (!tcon) { resched = true; list_del_init(&ses->rlist); cifs_put_smb_ses(ses); Because the list_for_each_entry() never exits early (without any break/goto/return inside the loop), the iterator 'ses' after the loop will always be an pointer to a invalid struct containing the HEAD (&pserver->smb_ses_list). As a result, the uses of 'ses' above will lead to a invalid memory access. The original intention should have been to walk each entry 'ses' in '&tmp_ses_list', delete '&ses->rlist' and put 'ses'. So fix it with a list_for_each_entry_safe(). Cc: stable@vger.kernel.org # 5.17 Fixes: 3663c9045f51a ("cifs: check reconnects for channels of active tcons too") Signed-off-by: Xiaomeng Tong Reviewed-by: Shyam Prasad N Signed-off-by: Steve French --- diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 7e15b0092243..54b554c7aee8 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -3853,8 +3853,10 @@ void smb2_reconnect_server(struct work_struct *work) tcon = kzalloc(sizeof(struct cifs_tcon), GFP_KERNEL); if (!tcon) { resched = true; - list_del_init(&ses->rlist); - cifs_put_smb_ses(ses); + list_for_each_entry_safe(ses, ses2, &tmp_ses_list, rlist) { + list_del_init(&ses->rlist); + cifs_put_smb_ses(ses); + } goto done; }