4.19-stable patches

[thirdparty/kernel/stable-queue.git] / queue-4.19 / cifs-fix-panic-in-smb2_reconnect.patch

From 0ff2b018b02f89da26a616e0148582321a00fd99 Mon Sep 17 00:00:00 2001
From: Ronnie Sahlberg <lsahlber@redhat.com>
Date: Wed, 5 Jun 2019 10:15:34 +1000
Subject: cifs: fix panic in smb2_reconnect

From: Ronnie Sahlberg <lsahlber@redhat.com>

commit 0ff2b018b02f89da26a616e0148582321a00fd99 upstream.

RH Bugzilla: 1702264

We need to protect so that the call to smb2_reconnect() in
smb2_reconnect_server() does not end up freeing the session
because it can lead to a use after free and crash.

Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/cifs/smb2pdu.c |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -2869,9 +2869,14 @@ void smb2_reconnect_server(struct work_s
                                tcon_exist = true;
                        }
                }
+               /*
+                * IPC has the same lifetime as its session and uses its
+                * refcount.
+                */
                if (ses->tcon_ipc && ses->tcon_ipc->need_reconnect) {
                        list_add_tail(&ses->tcon_ipc->rlist, &tmp_list);
                        tcon_exist = true;
+                       ses->ses_count++;
                }
        }
        /*
@@ -2890,7 +2895,10 @@ void smb2_reconnect_server(struct work_s
                else
                        resched = true;
                list_del_init(&tcon->rlist);
-               cifs_put_tcon(tcon);
+               if (tcon->ipc)
+                       cifs_put_smb_ses(tcon->ses);
+               else
+                       cifs_put_tcon(tcon);
        }
 
        cifs_dbg(FYI, "Reconnecting tcons finished\n");