cifsd: Fix a use after free on error path

The ksmbd_free_work_struct() frees "work" so we need to swap the order
of these two function calls to avoid a use after free.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>
Signed-off-by: Steve French <stfrench@microsoft.com>

diff --git a/fs/cifsd/oplock.c b/fs/cifsd/oplock.c
index 6c3dbc7..f694c14 100644 (file)
--- a/fs/cifsd/oplock.c
+++ b/fs/cifsd/oplock.c
@@ -638,8 +638,8 @@ static void __smb2_oplock_break_noti(struct work_struct *wk)
        if (allocate_oplock_break_buf(work)) {
                ksmbd_err("smb2_allocate_rsp_buf failed! ");
                atomic_dec(&conn->r_count);
-               ksmbd_free_work_struct(work);
                ksmbd_fd_put(work, fp);
+               ksmbd_free_work_struct(work);
                return;
        }