ksmbd: fix potential use-after-free in oplock/lease break ack

If ksmbd_iov_pin_rsp return error, use-after-free can happen by
accessing opinfo->state and opinfo_put and ksmbd_fd_put could
called twice.

Signed-off-by: Namjae Jeon <[email protected]>

Author: namjaejeon

smb2pdu.c

@@ -9189,13 +9189,13 @@ static void smb20_oplock_break_ack(struct ksmbd_work *work)
 	ret = ksmbd_iov_pin_rsp(work, rsp, sizeof(struct smb2_oplock_break));
 	if (!ret)
 		return;
-
+	else {
 err_out:
-	opinfo->op_state = OPLOCK_STATE_NONE;
-	wake_up_interruptible_all(&opinfo->oplock_q);
-
-	opinfo_put(opinfo);
-	ksmbd_fd_put(work, fp);
+		opinfo->op_state = OPLOCK_STATE_NONE;
+		wake_up_interruptible_all(&opinfo->oplock_q);
+		opinfo_put(opinfo);
+		ksmbd_fd_put(work, fp);
+	}
 	smb2_set_err_rsp(work);
 }
 
@@ -9341,13 +9341,13 @@ static void smb21_lease_break_ack(struct ksmbd_work *work)
 	ret = ksmbd_iov_pin_rsp(work, rsp, sizeof(struct smb2_lease_ack));
 	if (!ret)
 		return;
-
+	else {
 err_out:
-	wake_up_interruptible_all(&opinfo->oplock_q);
-	atomic_dec(&opinfo->breaking_cnt);
-	wake_up_interruptible_all(&opinfo->oplock_brk);
-
-	opinfo_put(opinfo);
+		wake_up_interruptible_all(&opinfo->oplock_q);
+		atomic_dec(&opinfo->breaking_cnt);
+		wake_up_interruptible_all(&opinfo->oplock_brk);
+		opinfo_put(opinfo);
+	}
 	smb2_set_err_rsp(work);
 }