MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-10-23 07:23:12 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

smb: client: let recv_done() avoid touching data_transfer after cleanup/move

Browse Source 
[ Upstream commit 24eff17887 ]

Calling enqueue_reassembly() and wake_up_interruptible(&info->wait_reassembly_queue)
or put_receive_buffer() means the response/data_transfer pointer might
get re-used by another thread, which means these should be
the last operations before calling return.

Cc: Steve French <smfrench@gmail.com>
Cc: Tom Talpey <tom@talpey.com>
Cc: Long Li <longli@microsoft.com>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Fixes: f198186aa9 ("CIFS: SMBD: Establish SMB Direct connection")
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Stefan Metzmacher 2025-08-04 14:10:16 +02:00 committed by Greg Kroah-Hartman
parent d7822bdb6a
commit a050c70e61
1 changed files with 11 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
fs/smb/client/smbdirect.c
View File

@ -477,10 +477,6 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
data_transfer = smbd_response_payload(response); data_transfer = smbd_response_payload(response);
data_length = le32_to_cpu(data_transfer->data_length); data_length = le32_to_cpu(data_transfer->data_length);
/*
* If this is a packet with data playload place the data in
* reassembly queue and wake up the reading thread
*/
if (data_length) { if (data_length) {
if (info->full_packet_received) if (info->full_packet_received)
response->first_segment = true; response->first_segment = true;
@ -489,16 +485,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
info->full_packet_received = false; info->full_packet_received = false;
else else
info->full_packet_received = true; info->full_packet_received = true;
}
enqueue_reassembly(
info,
response,
data_length);
} else
put_receive_buffer(info, response);
if (data_length)
wake_up_interruptible(&info->wait_reassembly_queue);
atomic_dec(&info->receive_credits); atomic_dec(&info->receive_credits);
info->receive_credit_target = info->receive_credit_target =
@ -526,6 +513,16 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc)
info->keep_alive_requested = KEEP_ALIVE_PENDING; info->keep_alive_requested = KEEP_ALIVE_PENDING;
} }
/*
* If this is a packet with data playload place the data in
* reassembly queue and wake up the reading thread
*/
if (data_length) {
enqueue_reassembly(info, response, data_length);
wake_up_interruptible(&info->wait_reassembly_queue);
} else
put_receive_buffer(info, response);
return; return;
} }