Skip to content

Commit 1aa60ee

Browse files
metze-sambaopsiff
metze-samba
authored and
opsiff
committed
smb: client: let recv_done() avoid touching data_transfer after cleanup/move
[ Upstream commit 24eff17887cb45c25a427e662dda352973c5c171 ] Calling enqueue_reassembly() and wake_up_interruptible(&info->wait_reassembly_queue) or put_receive_buffer() means the response/data_transfer pointer might get re-used by another thread, which means these should be the last operations before calling return. Cc: Steve French <[email protected]> Cc: Tom Talpey <[email protected]> Cc: Long Li <[email protected]> Cc: [email protected] Cc: [email protected] Fixes: f198186 ("CIFS: SMBD: Establish SMB Direct connection") Signed-off-by: Stefan Metzmacher <[email protected]> Signed-off-by: Steve French <[email protected]> Signed-off-by: Sasha Levin <[email protected]> (cherry picked from commit 8c221b55d0c24c58e5ec394f4bf2256ca6c0535e)
1 parent 229be24 commit 1aa60ee

File tree

1 file changed

+11
-14
lines changed

1 file changed

+11
-14
lines changed

fs/smb/client/smbdirect.c

Lines changed: 11 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -477,10 +477,6 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
477477
data_transfer = smbd_response_payload(response);
478478
data_length = le32_to_cpu(data_transfer->data_length);
479479

480-
/*
481-
* If this is a packet with data playload place the data in
482-
* reassembly queue and wake up the reading thread
483-
*/
484480
if (data_length) {
485481
if (info->full_packet_received)
486482
response->first_segment = true;
@@ -489,16 +485,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
489485
info->full_packet_received = false;
490486
else
491487
info->full_packet_received = true;
492-
493-
enqueue_reassembly(
494-
info,
495-
response,
496-
data_length);
497-
} else
498-
put_receive_buffer(info, response);
499-
500-
if (data_length)
501-
wake_up_interruptible(&info->wait_reassembly_queue);
488+
}
502489

503490
atomic_dec(&info->receive_credits);
504491
info->receive_credit_target =
@@ -526,6 +513,16 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
526513
info->keep_alive_requested = KEEP_ALIVE_PENDING;
527514
}
528515

516+
/*
517+
* If this is a packet with data playload place the data in
518+
* reassembly queue and wake up the reading thread
519+
*/
520+
if (data_length) {
521+
enqueue_reassembly(info, response, data_length);
522+
wake_up_interruptible(&info->wait_reassembly_queue);
523+
} else
524+
put_receive_buffer(info, response);
525+
529526
return;
530527
}
531528

0 commit comments

Comments
 (0)