ksmbd: fix r_count dec/increment mismatch

r_count is only increased when there is an oplock break wait,
so r_count inc/decrement are not paired. This can cause r_count
to become negative, which can lead to a problem where the ksmbd
thread does not terminate.

Fixes: 3aa660c05924 ("ksmbd: prevent connection release during oplock break notification")
Reported-by: Norbert Szetei <norbert@doyensec.com>
Tested-by: Norbert Szetei <norbert@doyensec.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/server/oplock.c b/fs/smb/server/oplock.c
index 894b53b0cf8cd23de000270d0f2eeb19b307f5b4..f103b1bd0400401aeb94a2effe7c5e256e52fe74 100644 (file)
--- a/fs/smb/server/oplock.c
+++ b/fs/smb/server/oplock.c
@@ -724,8 +724,8 @@ static int smb2_oplock_break_noti(struct oplock_info *opinfo)
        work->conn = conn;
        work->sess = opinfo->sess;
 
+       ksmbd_conn_r_count_inc(conn);
        if (opinfo->op_state == OPLOCK_ACK_WAIT) {
-               ksmbd_conn_r_count_inc(conn);
                INIT_WORK(&work->work, __smb2_oplock_break_noti);
                ksmbd_queue_work(work);
 
@@ -833,8 +833,8 @@ static int smb2_lease_break_noti(struct oplock_info *opinfo)
        work->conn = conn;
        work->sess = opinfo->sess;
 
+       ksmbd_conn_r_count_inc(conn);
        if (opinfo->op_state == OPLOCK_ACK_WAIT) {
-               ksmbd_conn_r_count_inc(conn);
                INIT_WORK(&work->work, __smb2_lease_break_noti);
                ksmbd_queue_work(work);
                wait_for_break_ack(opinfo);