smb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send...

smb_direct_flush_send_list() already calls smb_direct_free_sendmsg(),
so we should not call it again after post_sendmsg()
moved it to the batch list.

Reported-by: Ruikai Peng <ruikai@pwno.io>
Closes: https://lore.kernel.org/linux-cifs/CAFD3drNOSJ05y3A+jNXSDxW-2w09KHQ0DivhxQ_pcc7immVVOQ@mail.gmail.com/
Fixes: 34abd408c8ba ("smb: server: make use of smbdirect_socket.send_io.bcredits")
Cc: stable@kernel.org
Cc: Steve French <smfrench@gmail.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: Ruikai Peng <ruikai@pwno.io>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Cc: security@kernel.org
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Tested-by: Ruikai Peng <ruikai@pwno.io>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/smb/server/transport_rdma.c b/fs/smb/server/transport_rdma.c
index 188572491d53ff91f889dd46586a67d45581aec3..dbc8dedb85dced2944f54a7fd192e6cb0333dd40 100644 (file)
--- a/fs/smb/server/transport_rdma.c
+++ b/fs/smb/server/transport_rdma.c
@@ -1588,15 +1588,21 @@ static int smb_direct_post_send_data(struct smbdirect_socket *sc,
        if (ret)
                goto err;
 
+       /*
+        * From here msg is moved to send_ctx
+        * and we should not free it explicitly.
+        */
+
        if (send_ctx == &_send_ctx) {
                ret = smb_direct_flush_send_list(sc, send_ctx, true);
                if (ret)
-                       goto err;
+                       goto flush_failed;
        }
 
        return 0;
 err:
        smb_direct_free_sendmsg(sc, msg);
+flush_failed:
 header_failed:
        atomic_inc(&sc->send_io.credits.count);
 credit_failed: