diff options
| author | Xiaomeng Tong <[email protected]> | 2022-03-20 21:50:15 +0800 |
|---|---|---|
| committer | Steve French <[email protected]> | 2022-03-23 15:20:15 -0500 |
| commit | a96c94481f5993eac2271f9fb4d009b7dc076c24 (patch) | |
| tree | 501b2964ccd2d7878d6a2b6b3e7c0b08fa1c2e63 /net/lapb/lapb_subr.c | |
| parent | 2d004c6cae567e33ab2e197757181c72a322451f (diff) | |
cifs: fix incorrect use of list iterator after the loop
The bug is here:
if (!tcon) {
resched = true;
list_del_init(&ses->rlist);
cifs_put_smb_ses(ses);
Because the list_for_each_entry() never exits early (without any
break/goto/return inside the loop), the iterator 'ses' after the
loop will always be an pointer to a invalid struct containing the
HEAD (&pserver->smb_ses_list). As a result, the uses of 'ses' above
will lead to a invalid memory access.
The original intention should have been to walk each entry 'ses' in
'&tmp_ses_list', delete '&ses->rlist' and put 'ses'. So fix it with
a list_for_each_entry_safe().
Cc: [email protected] # 5.17
Fixes: 3663c9045f51a ("cifs: check reconnects for channels of active tcons too")
Signed-off-by: Xiaomeng Tong <[email protected]>
Reviewed-by: Shyam Prasad N <[email protected]>
Signed-off-by: Steve French <[email protected]>
Diffstat (limited to 'net/lapb/lapb_subr.c')
0 files changed, 0 insertions, 0 deletions