diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2011-06-17 08:34:57 -0400 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2011-06-24 18:39:41 -0400 |
commit | 6d6861757dfadb7d6aec6bb34acd471210a755f9 (patch) | |
tree | 6de2a3443afacc51cb307619e0a5d90ec22c0786 /fs/cifs/cifsfs.c | |
parent | dd8544661947ad6d8d87b3c9d4333bfa1583d1bc (diff) |
cifs: double free on mount failure
if we get to out_super with ->s_root already set (e.g. with
cifs_get_root() failure), we'll end up with cifs_put_super()
called and ->mountdata freed twice. We'll also get cifs_sb
freed twice and cifs_sb->local_nls dropped twice. The problem
is, we can get to out_super both with and without ->s_root,
which makes ->put_super() a bad place for such work.
Switch to ->kill_sb(), have all that work done there after
kill_anon_super(). Unlike ->put_super(), ->kill_sb() is
called by deactivate_locked_super() whether we have ->s_root
or not.
Acked-by: Pavel Shilovsky <piastryyy@gmail.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'fs/cifs/cifsfs.c')
-rw-r--r-- | fs/cifs/cifsfs.c | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c index 5d3c4fa4b546..dc76c7bccb15 100644 --- a/fs/cifs/cifsfs.c +++ b/fs/cifs/cifsfs.c | |||
@@ -184,11 +184,13 @@ cifs_put_super(struct super_block *sb) | |||
184 | rc = cifs_umount(sb, cifs_sb); | 184 | rc = cifs_umount(sb, cifs_sb); |
185 | if (rc) | 185 | if (rc) |
186 | cERROR(1, "cifs_umount failed with return code %d", rc); | 186 | cERROR(1, "cifs_umount failed with return code %d", rc); |
187 | if (cifs_sb->mountdata) { | 187 | } |
188 | kfree(cifs_sb->mountdata); | ||
189 | cifs_sb->mountdata = NULL; | ||
190 | } | ||
191 | 188 | ||
189 | static void cifs_kill_sb(struct super_block *sb) | ||
190 | { | ||
191 | struct cifs_sb_info *cifs_sb = CIFS_SB(sb); | ||
192 | kill_anon_super(sb); | ||
193 | kfree(cifs_sb->mountdata); | ||
192 | unload_nls(cifs_sb->local_nls); | 194 | unload_nls(cifs_sb->local_nls); |
193 | kfree(cifs_sb); | 195 | kfree(cifs_sb); |
194 | } | 196 | } |
@@ -729,8 +731,8 @@ out_shared: | |||
729 | goto out; | 731 | goto out; |
730 | 732 | ||
731 | out_super: | 733 | out_super: |
732 | kfree(cifs_sb->mountdata); | ||
733 | deactivate_locked_super(sb); | 734 | deactivate_locked_super(sb); |
735 | goto out; | ||
734 | 736 | ||
735 | out_cifs_sb: | 737 | out_cifs_sb: |
736 | unload_nls(cifs_sb->local_nls); | 738 | unload_nls(cifs_sb->local_nls); |
@@ -827,7 +829,7 @@ struct file_system_type cifs_fs_type = { | |||
827 | .owner = THIS_MODULE, | 829 | .owner = THIS_MODULE, |
828 | .name = "cifs", | 830 | .name = "cifs", |
829 | .mount = cifs_do_mount, | 831 | .mount = cifs_do_mount, |
830 | .kill_sb = kill_anon_super, | 832 | .kill_sb = cifs_kill_sb, |
831 | /* .fs_flags */ | 833 | /* .fs_flags */ |
832 | }; | 834 | }; |
833 | const struct inode_operations cifs_dir_inode_ops = { | 835 | const struct inode_operations cifs_dir_inode_ops = { |