[linux-cifs-client] [PATCH] cifs: NULL out tcon, pSesInfo, and srvTcp pointers when chasing DFS referrals

Steve French smfrench at gmail.com
Thu Dec 3 09:18:35 MST 2009 

Added cc: stable and Reported-by: line, and merged

On Thu, Dec 3, 2009 at 7:09 AM, Jeff Layton <jlayton at redhat.com> wrote:

> The scenario is this:
>
> The kernel gets EREMOTE and starts chasing a DFS referral at mount time.
> The tcon reference is put, which puts the session reference too, but
> neither pointer is zeroed out.
>
> The mount gets retried (goto try_mount_again) with new mount info.
> Session setup fails fails and rc ends up being non-zero. The code then
> falls through to the end and tries to put the previously freed tcon
> pointer again.
>
> Fix this by moving the initialization of the rc variable and the tcon,
> pSesInfo and srvTcp pointers below the try_mount_again label. Also, add
> a FreeXid() before the goto to prevent xid "leaks".
>
> Signed-off-by: Jeff Layton <jlayton at redhat.com>
> ---
>  fs/cifs/connect.c |   13 +++++++++----
>  1 files changed, 9 insertions(+), 4 deletions(-)
>
> diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
> index 63ea83f..3bbcaa7 100644
> --- a/fs/cifs/connect.c
> +++ b/fs/cifs/connect.c
> @@ -2287,12 +2287,12 @@ int
>  cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb,
>                char *mount_data_global, const char *devname)
>  {
> -       int rc = 0;
> +       int rc;
>        int xid;
>        struct smb_vol *volume_info;
> -       struct cifsSesInfo *pSesInfo = NULL;
> -       struct cifsTconInfo *tcon = NULL;
> -       struct TCP_Server_Info *srvTcp = NULL;
> +       struct cifsSesInfo *pSesInfo;
> +       struct cifsTconInfo *tcon;
> +       struct TCP_Server_Info *srvTcp;
>        char   *full_path;
>        char *mount_data = mount_data_global;
>  #ifdef CONFIG_CIFS_DFS_UPCALL
> @@ -2301,6 +2301,10 @@ cifs_mount(struct super_block *sb, struct
> cifs_sb_info *cifs_sb,
>        int referral_walks_count = 0;
>  try_mount_again:
>  #endif
> +       rc = 0;
> +       tcon = NULL;
> +       pSesInfo = NULL;
> +       srvTcp = NULL;
>        full_path = NULL;
>
>        xid = GetXid();
> @@ -2597,6 +2601,7 @@ remote_path_check:
>
>                        cleanup_volume_info(&volume_info);
>                        referral_walks_count++;
> +                       FreeXid(xid);
>                        goto try_mount_again;
>                }
>  #else /* No DFS support, return error on mount */
> --
> 1.6.5.2
>
>


-- 
Thanks,

Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/linux-cifs-client/attachments/20091203/34d419d8/attachment.html>

More information about the linux-cifs-client mailing list