Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6d686175 authored by Al Viro's avatar Al Viro
Browse files

cifs: double free on mount failure 



if we get to out_super with ->s_root already set (e.g. with
cifs_get_root() failure), we'll end up with cifs_put_super()
called and ->mountdata freed twice.  We'll also get cifs_sb
freed twice and cifs_sb->local_nls dropped twice.  The problem
is, we can get to out_super both with and without ->s_root,
which makes ->put_super() a bad place for such work.

Switch to ->kill_sb(), have all that work done there after
kill_anon_super().  Unlike ->put_super(), ->kill_sb() is
called by deactivate_locked_super() whether we have ->s_root
or not.

Acked-by: default avatarPavel Shilovsky <piastryyy@gmail.com>
Reviewed-by: default avatarJeff Layton <jlayton@redhat.com>
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent dd854466

fs/cifs/cifsfs.c

+8 −6
Original line number Diff line number Diff line
@@ -184,11 +184,13 @@ cifs_put_super(struct super_block *sb) 
	rc = cifs_umount(sb, cifs_sb);

	if (rc)

		cERROR(1, "cifs_umount failed with return code %d", rc);

	if (cifs_sb->mountdata) {

		kfree(cifs_sb->mountdata);

		cifs_sb->mountdata = NULL;

}



static void cifs_kill_sb(struct super_block *sb)

{

	struct cifs_sb_info *cifs_sb = CIFS_SB(sb);

	kill_anon_super(sb);

	kfree(cifs_sb->mountdata);

	unload_nls(cifs_sb->local_nls);

	kfree(cifs_sb);

}
@@ -729,8 +731,8 @@ cifs_do_mount(struct file_system_type *fs_type, 
	goto out;



out_super:

	kfree(cifs_sb->mountdata);

	deactivate_locked_super(sb);

	goto out;



out_cifs_sb:

	unload_nls(cifs_sb->local_nls);
@@ -827,7 +829,7 @@ struct file_system_type cifs_fs_type = { 
	.owner = THIS_MODULE,

	.name = "cifs",

	.mount = cifs_do_mount,

	.kill_sb = kill_anon_super,

	.kill_sb = cifs_kill_sb,

	/*  .fs_flags */

};

const struct inode_operations cifs_dir_inode_ops = {