tree: git://git.samba.org/sfrench/cifs-2.6.git for-next head: fd2bd7c0539e28f267a84da8d68f9378511b50a7 commit: aa52cd09620b0ebd34ccae0e7f9f5b773497a499 [8/13] cifs: handle when server stops supporting multichannel config: i386-randconfig-141-20231108 (https://download.01.org/0day-ci/archive/20231111/202311110815.UJaeU3Tt-lkp@xxxxxxxxx/config) compiler: gcc-9 (Debian 9.3.0-22) 9.3.0 reproduce: (https://download.01.org/0day-ci/archive/20231111/202311110815.UJaeU3Tt-lkp@xxxxxxxxx/reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp@xxxxxxxxx> | Reported-by: Dan Carpenter <error27@xxxxxxxxx> | Closes: https://lore.kernel.org/r/202311110815.UJaeU3Tt-lkp@xxxxxxxxx/ smatch warnings: fs/smb/client/sess.c:323 cifs_disable_secondary_channels() error: dereferencing freed memory 'iface' vim +/iface +323 fs/smb/client/sess.c aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 298 void aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 299 cifs_disable_secondary_channels(struct cifs_ses *ses) aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 300 { aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 301 int i, chan_count; aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 302 struct TCP_Server_Info *server; aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 303 struct cifs_server_iface *iface; aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 304 aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 305 spin_lock(&ses->chan_lock); aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 306 chan_count = ses->chan_count; aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 307 if (chan_count == 1) aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 308 goto done; aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 309 aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 310 ses->chan_count = 1; aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 311 aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 312 /* for all secondary channels reset the need reconnect bit */ aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 313 ses->chans_need_reconnect &= 1; aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 314 aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 315 for (i = 1; i < chan_count; i++) { aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 316 iface = ses->chans[i].iface; aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 317 server = ses->chans[i].server; aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 318 aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 319 if (iface) { aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 320 spin_lock(&ses->iface_lock); aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 321 kref_put(&iface->refcount, release_iface); ^^^^^^^^^^^^^ Freed if last reference. aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 322 ses->chans[i].iface = NULL; aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 @323 iface->num_channels--; ^^^^^ Dereference after free. aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 324 if (iface->weight_fulfilled) aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 325 iface->weight_fulfilled--; aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 326 spin_unlock(&ses->iface_lock); aa52cd09620b0e fs/smb/client/sess.c Shyam Prasad N 2023-10-13 327 } -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki
