ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close()

opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is being
accessed after rcu_read_unlock() has been called. This creates a
race condition where the memory could be freed by a concurrent
writer between the unlock and the subsequent pointer dereferences
(opinfo->is_lease, etc.), leading to a use-after-free.

Fixes: 5fb282ba4fef ("ksmbd: fix possible null-deref in smb_lazy_parent_lease_break_close")
Cc: stable@vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/server/oplock.c b/fs/smb/server/oplock.c
index 8c9aa17384f3ec7686b1feefa1cf68a5d1341567..393a4ae47cc1d2cd3a65265d8196b44dadae6aae 100644 (file)
--- a/fs/smb/server/oplock.c
+++ b/fs/smb/server/oplock.c
@@ -1135,10 +1135,12 @@ void smb_lazy_parent_lease_break_close(struct ksmbd_file *fp)
 
        rcu_read_lock();
        opinfo = rcu_dereference(fp->f_opinfo);
-       rcu_read_unlock();
 
-       if (!opinfo || !opinfo->is_lease || opinfo->o_lease->version != 2)
+       if (!opinfo || !opinfo->is_lease || opinfo->o_lease->version != 2) {
+               rcu_read_unlock();
                return;
+       }
+       rcu_read_unlock();
 
        p_ci = ksmbd_inode_lookup_lock(fp->filp->f_path.dentry->d_parent);
        if (!p_ci)