Hi folks, I have been trawling through the code to get a better understanding of various things and I came across this curious thing in the smb2dev branch in git://git.altlinux.org/people/piastry/public/cifs-2.6.git but it is also in the master branch, it seems. In transport.c:SendReceive (and SendReceive2 where we do similar things) we see: ... rc = cifs_sync_mid_result(midQ, ses->server); if (rc != 0) { add_credits(ses->server, 1, 0); return rc; } if (!midQ->resp_buf || !out_buf || midQ->mid_state != MID_RESPONSE_RECEIVED) { rc = -EIO; cERROR(1, "Bad MID state?"); goto out; } *pbytes_returned = get_rfc1002_length(midQ->resp_buf); memcpy(out_buf, midQ->resp_buf, *pbytes_returned + 4); rc = cifs_check_receive(midQ, ses->server, 0); ... However, at the end of cifs_sync_mid_result we see: DeleteMidQEntry(mid); return rc; and there are no early returns from cifs_sync_mid_result, it seems. The "mid" in the DeleteMidQEntry call is the same midQ passed to cifs_sync_mid_result, I believe. So, it looks like we have a use-after-free situation and thus a race to get the data out before someone else pollutes it. Is this correct or have I got the wrong end of the stick here? -- Regards, Richard Sharpe (何以解憂?唯有杜康。--曹操) -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html