cifs: fix use after free for iface while disabling secondary channels

We were deferencing iface after it has been released. Fix is to release after all dereference instances have been encountered. Signed-off-by: Ritvik Budhiraja <rbudhiraja@microsoft.com> Reported-by: kernel test robot <lkp@intel.com> Reported-by: Dan Carpenter <error27@gmail.com> Closes: https://lore.kernel.org/r/202311110815.UJaeU3Tt-lkp@intel.com/ Signed-off-by: Steve French <stfrench@microsoft.com>
author: Ritvik Budhiraja <rbudhiraja@microsoft.com> 2023-11-21 16:43:47 +0300
committer: Steve French <stfrench@microsoft.com> 2023-11-23 20:42:55 +0300
commit: a15ccef82d3de9a37dc25898c60a394209368dc8 (patch)
tree: fd45edb7712b009190a4d2549183894893838e34 /fs/smb/client
parent: 98b1cc82c4affc16f5598d4fa14b1858671b2263 (diff)
download: linux-a15ccef82d3de9a37dc25898c60a394209368dc8.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/smb/client/sess.c b/fs/smb/client/sess.c
index 8b2d7c1ca428..816e01c5589b 100644
--- a/fs/smb/client/sess.c
+++ b/fs/smb/client/sess.c
@@ -332,10 +332,10 @@ cifs_disable_secondary_channels(struct cifs_ses *ses)
 
 		if (iface) {
 			spin_lock(&ses->iface_lock);
-			kref_put(&iface->refcount, release_iface);
 			iface->num_channels--;
 			if (iface->weight_fulfilled)
 				iface->weight_fulfilled--;
+			kref_put(&iface->refcount, release_iface);
 			spin_unlock(&ses->iface_lock);
 		}
author	Ritvik Budhiraja <rbudhiraja@microsoft.com>	2023-11-21 16:43:47 +0300
committer	Steve French <stfrench@microsoft.com>	2023-11-23 20:42:55 +0300
commit	a15ccef82d3de9a37dc25898c60a394209368dc8 (patch)
tree	fd45edb7712b009190a4d2549183894893838e34 /fs/smb/client
parent	98b1cc82c4affc16f5598d4fa14b1858671b2263 (diff)
download	linux-a15ccef82d3de9a37dc25898c60a394209368dc8.tar.xz