Am 06.08.25 um 14:48 schrieb Dan Carpenter:
On Wed, Aug 06, 2025 at 02:20:56PM +0200, Stefan Metzmacher wrote:
Hi Dan,
The mempool_free() function frees "request". Don't free the request
until after smbd_disconnect_rdma_connection() to avoid a use after free
bug.
Fixes: 5e65668c75c0 ("smb: client: let send_done() cleanup before calling smbd_disconnect_rdma_connection()")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
fs/smb/client/smbdirect.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c
index 58321e483a1a..162f8d1c548a 100644
--- a/fs/smb/client/smbdirect.c
+++ b/fs/smb/client/smbdirect.c
@@ -286,8 +286,8 @@ static void send_done(struct ib_cq *cq, struct ib_wc *wc)
if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_SEND) {
log_rdma_send(ERR, "wc->status=%d wc->opcode=%d\n",
wc->status, wc->opcode);
- mempool_free(request, request->info->request_mempool);
smbd_disconnect_rdma_connection(request->info);
+ mempool_free(request, request->info->request_mempool);
The correct fix is to use 'info' instead of 'request->info'
other than that the order needs to stay that way.
I already asked Steve to squash such a change into the
original commit (which is not yet upstream).
See:
https://lore.kernel.org/linux-cifs/cover.1754308712.git.metze@xxxxxxxxx/T/#m98a8607d7b83a11fd78547306836a872a2a27192
What was the test that triggered the problem?
Or did you only noticed it by looking at the code?
This was a Smatch static checker warning. You need to have the cross
function DB to detect it.
Ok, I'll try to integrate it into my build flow...
Does it replace sparse or does it run in addition?
If it replaces sparse I guess a small script would
run them both?
$ cat mychecker.sh:
#!/bin/bash
set -e
sparse $@
smatch $@
And maybe all others from
https://gautammenghani.com/linux,/c/2022/05/19/static-analysis-tools-linux-kernel.html
How often do I need to run smatch_scripts/build_kernel_data.sh on the whole kernel?
Thanks!
metze
