[PATCH] cifs: fix race condition in smb2_compound_op

[Ondrej Hubsch]

When cfile->count becomes 1 after it is passed to smb2_compound_op (aka
cfile becomes the last reference to the file handle) the call to
cifsFileInfo_put will cause a SMB2_CLOSE being immediately sent to the
server -- just before the compound request. The compound request then
contains an incorrect (already closed) handle, resulting in EBADF/EIO
errors.

This can happen for instance when:

1) close(fd) was called, but there are still references held in
wdata->cfile in cifs_writedata's -- these are cleaned up asynchronously in
cifs_writedata_release.
2) smb2_query_path_info is called and successfully fetches cfile through
cifs_get_readable_path
3) asynchronous cleanup of all wdata->cfiles completes

Then the cfile->count can be 1, triggering this bug.

This patch addresses this situation by removing the call to
cifsFileInfo_put as it is also called in the finished section right after
compound_send_recv.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15051
Signed-off-by: Ondrej Hubsch <ohubsch at purestorage.com>
---
 fs/cifs/smb2inode.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/fs/cifs/smb2inode.c b/fs/cifs/smb2inode.c
index fe5bfa245fa7..d82bd244ecab 100644
--- a/fs/cifs/smb2inode.c
+++ b/fs/cifs/smb2inode.c
@@ -361,14 +361,12 @@ smb2_compound_op(const unsigned int xid, struct
cifs_tcon *tcon,
  after_close:
        num_rqst++;

-       if (cfile) {
-               cifsFileInfo_put(cfile);
-               cfile = NULL;
+       if (cfile)
                rc = compound_send_recv(xid, ses, server,
                                        flags, num_rqst - 2,
                                        &rqst[1], &resp_buftype[1],
                                        &rsp_iov[1]);
-       } else
+       else
                rc = compound_send_recv(xid, ses, server,
                                        flags, num_rqst,
                                        rqst, resp_buftype,
--
2.27.0