fs/smb/server/server.c:283:5-24: WARNING: atomic_dec_and_test variation before object free at line 284.

From: kernel test robot
Date: Sun Dec 15 2024 - 21:34:32 EST


tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 78d4f34e2115b517bcbfe7ec0d018bbbb6f9b0b8
commit: 9a8c5d89d327ff58e9b2517f8a6afb4181d32c6e ksmbd: fix use-after-free in SMB request handling
date: 3 weeks ago
config: parisc-randconfig-r053-20241215 (https://download.01.org/0day-ci/archive/20241216/202412161024.LgGt4s2G-lkp@xxxxxxxxx/config)
compiler: hppa-linux-gcc (GCC) 14.2.0

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@xxxxxxxxx>
| Closes: https://lore.kernel.org/oe-kbuild-all/202412161024.LgGt4s2G-lkp@xxxxxxxxx/

cocci warnings: (new ones prefixed by >>)
>> fs/smb/server/server.c:283:5-24: WARNING: atomic_dec_and_test variation before object free at line 284.

vim +283 fs/smb/server/server.c

255
256 /**
257 * handle_ksmbd_work() - process pending smb work requests
258 * @wk: smb work containing request command buffer
259 *
260 * called by kworker threads to processing remaining smb work requests
261 */
262 static void handle_ksmbd_work(struct work_struct *wk)
263 {
264 struct ksmbd_work *work = container_of(wk, struct ksmbd_work, work);
265 struct ksmbd_conn *conn = work->conn;
266
267 atomic64_inc(&conn->stats.request_served);
268
269 __handle_ksmbd_work(work, conn);
270
271 ksmbd_conn_try_dequeue_request(work);
272 ksmbd_free_work_struct(work);
273 atomic_dec(&conn->mux_smb_requests);
274 /*
275 * Checking waitqueue to dropping pending requests on
276 * disconnection. waitqueue_active is safe because it
277 * uses atomic operation for condition.
278 */
279 atomic_inc(&conn->refcnt);
280 if (!atomic_dec_return(&conn->r_count) && waitqueue_active(&conn->r_count_q))
281 wake_up(&conn->r_count_q);
282
> 283 if (atomic_dec_and_test(&conn->refcnt))
> 284 kfree(conn);
285 }
286

--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki