cifs: double free on mount failure

if we get to out_super with ->s_root already set (e.g. with
cifs_get_root() failure), we'll end up with cifs_put_super()
called and ->mountdata freed twice.  We'll also get cifs_sb
freed twice and cifs_sb->local_nls dropped twice.  The problem
is, we can get to out_super both with and without ->s_root,
which makes ->put_super() a bad place for such work.

Switch to ->kill_sb(), have all that work done there after
kill_anon_super().  Unlike ->put_super(), ->kill_sb() is
called by deactivate_locked_super() whether we have ->s_root
or not.

Acked-by: Pavel Shilovsky <piastryyy@gmail.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

1 files changed, 8 insertions, 6 deletions

diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index 5d3c4fa4b54..dc76c7bccb1 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -184,11 +184,13 @@ cifs_put_super(struct super_block *sb)
         rc = cifs_umount(sb, cifs_sb);
         if (rc)
                 cERROR(1, "cifs_umount failed with return code %d", rc);
-        if (cifs_sb->mountdata) {
-                kfree(cifs_sb->mountdata);
-                cifs_sb->mountdata = NULL;
-        }
+}
 
+static void cifs_kill_sb(struct super_block *sb)
+{
+        struct cifs_sb_info *cifs_sb = CIFS_SB(sb);
+        kill_anon_super(sb);
+        kfree(cifs_sb->mountdata);
         unload_nls(cifs_sb->local_nls);
         kfree(cifs_sb);
 }
@@ -729,8 +731,8 @@ out_shared:
         goto out;
 
 out_super:
-        kfree(cifs_sb->mountdata);
         deactivate_locked_super(sb);
+        goto out;
 
 out_cifs_sb:
         unload_nls(cifs_sb->local_nls);
@@ -827,7 +829,7 @@ struct file_system_type cifs_fs_type = {
         .owner = THIS_MODULE,
         .name = "cifs",
         .mount = cifs_do_mount,
-        .kill_sb = kill_anon_super,
+        .kill_sb = cifs_kill_sb,
         /*  .fs_flags */
 };
 const struct inode_operations cifs_dir_inode_ops = {