diff options
author | Christopher Oo <t-chriso@microsoft.com> | 2015-06-25 16:10:48 -0700 |
---|---|---|
committer | Steve French <smfrench@gmail.com> | 2015-08-20 10:19:25 -0500 |
commit | 5fb4e288a025af1abc5c67ecebf30fbf6b3edad1 (patch) | |
tree | 751d20a93eb2f92415213fc068e6daa95e839119 /fs/cifs/transport.c | |
parent | 0a6d0b64120759df8b9291af92d998ed1cbefc9d (diff) | |
download | op-kernel-dev-5fb4e288a025af1abc5c67ecebf30fbf6b3edad1.zip op-kernel-dev-5fb4e288a025af1abc5c67ecebf30fbf6b3edad1.tar.gz |
cifs: Fix use-after-free on mid_q_entry
With CIFS_DEBUG_2 enabled, additional debug information is tracked inside each
mid_q_entry struct, however cifs_save_when_sent may use the mid_q_entry after it
has been freed from the appropriate callback if the transport layer has very low
latency. Holding the srv_mutex fixes this use-after-free, as cifs_save_when_sent
is called while the srv_mutex is held while the request is sent.
Signed-off-by: Christopher Oo <t-chriso@microsoft.com>
Diffstat (limited to 'fs/cifs/transport.c')
-rw-r--r-- | fs/cifs/transport.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c index 126f46b..2a24c52 100644 --- a/fs/cifs/transport.c +++ b/fs/cifs/transport.c @@ -644,7 +644,9 @@ cifs_sync_mid_result(struct mid_q_entry *mid, struct TCP_Server_Info *server) } spin_unlock(&GlobalMid_Lock); + mutex_lock(&server->srv_mutex); DeleteMidQEntry(mid); + mutex_unlock(&server->srv_mutex); return rc; } |