This is a note to let you know that I've just added the patch titled smb: client: remove extra @chan_count check in __cifs_put_smb_ses() to the 6.6-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: smb-client-remove-extra-chan_count-check-in-__cifs_p.patch and it can be found in the queue-6.6 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit 7bddb24a7f251bf659a181bc5149be9bfd867cbe Author: Paulo Alcantara <pc@xxxxxxxxxxxxx> Date: Mon Oct 30 17:19:53 2023 -0300 smb: client: remove extra @chan_count check in __cifs_put_smb_ses() [ Upstream commit c37ed2d7d09869f30d291b9c6cba56ea4f0b0417 ] If @ses->chan_count <= 1, then for-loop body will not be executed so no need to check it twice. Reviewed-by: Shyam Prasad N <sprasad@xxxxxxxxxxxxx> Signed-off-by: Paulo Alcantara (SUSE) <pc@xxxxxxxxxxxxx> Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx> Stable-dep-of: 24a9799aa8ef ("smb: client: fix UAF in smb2_reconnect_server()") Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c index 97776dd12b6b8..556f3c31aedc7 100644 --- a/fs/smb/client/connect.c +++ b/fs/smb/client/connect.c @@ -2015,9 +2015,10 @@ cifs_find_smb_ses(struct TCP_Server_Info *server, struct smb3_fs_context *ctx) void __cifs_put_smb_ses(struct cifs_ses *ses) { - unsigned int rc, xid; - unsigned int chan_count; struct TCP_Server_Info *server = ses->server; + unsigned int xid; + size_t i; + int rc; spin_lock(&ses->ses_lock); if (ses->ses_status == SES_EXITING) { @@ -2063,20 +2064,14 @@ void __cifs_put_smb_ses(struct cifs_ses *ses) list_del_init(&ses->smb_ses_list); spin_unlock(&cifs_tcp_ses_lock); - chan_count = ses->chan_count; - /* close any extra channels */ - if (chan_count > 1) { - int i; - - for (i = 1; i < chan_count; i++) { - if (ses->chans[i].iface) { - kref_put(&ses->chans[i].iface->refcount, release_iface); - ses->chans[i].iface = NULL; - } - cifs_put_tcp_session(ses->chans[i].server, 0); - ses->chans[i].server = NULL; + for (i = 1; i < ses->chan_count; i++) { + if (ses->chans[i].iface) { + kref_put(&ses->chans[i].iface->refcount, release_iface); + ses->chans[i].iface = NULL; } + cifs_put_tcp_session(ses->chans[i].server, 0); + ses->chans[i].server = NULL; } /* we now account for primary channel in iface->refcount */