cifs: fix panic in smb2_reconnect

RH Bugzilla: 1702264

We need to protect so that the call to smb2_reconnect() in
smb2_reconnect_server() does not end up freeing the session
because it can lead to a use after free and crash.

Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>

diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 29b699d..75311a8 100644 (file)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -3114,9 +3114,14 @@ void smb2_reconnect_server(struct work_struct *work)
                                tcon_exist = true;
                        }
                }
+               /*
+                * IPC has the same lifetime as its session and uses its
+                * refcount.
+                */
                if (ses->tcon_ipc && ses->tcon_ipc->need_reconnect) {
                        list_add_tail(&ses->tcon_ipc->rlist, &tmp_list);
                        tcon_exist = true;
+                       ses->ses_count++;
                }
        }
        /*
@@ -3135,7 +3140,10 @@ void smb2_reconnect_server(struct work_struct *work)
                else
                        resched = true;
                list_del_init(&tcon->rlist);
-               cifs_put_tcon(tcon);
+               if (tcon->ipc)
+                       cifs_put_smb_ses(tcon->ses);
+               else
+                       cifs_put_tcon(tcon);
        }
 
        cifs_dbg(FYI, "Reconnecting tcons finished\n");