diff options
| author | Jeff Layton <jlayton@redhat.com> | 2009-12-03 08:09:41 -0500 |
|---|---|---|
| committer | Steve French <sfrench@us.ibm.com> | 2009-12-03 11:12:41 -0500 |
| commit | a2934c7b363ddcc001964f2444649f909e583bef (patch) | |
| tree | c58eb5fd32591e1e54a37ed7b42f3fc4bb910d0e /fs/cifs | |
| parent | 29e553631b2a0d4eebd23db630572e1027a9967a (diff) | |
cifs: NULL out tcon, pSesInfo, and srvTcp pointers when chasing DFS referrals
The scenario is this:
The kernel gets EREMOTE and starts chasing a DFS referral at mount time.
The tcon reference is put, which puts the session reference too, but
neither pointer is zeroed out.
The mount gets retried (goto try_mount_again) with new mount info.
Session setup fails fails and rc ends up being non-zero. The code then
falls through to the end and tries to put the previously freed tcon
pointer again. Oops at: cifs_put_smb_ses+0x14/0xd0
Fix this by moving the initialization of the rc variable and the tcon,
pSesInfo and srvTcp pointers below the try_mount_again label. Also, add
a FreeXid() before the goto to prevent xid "leaks".
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Reported-by: Gustavo Carvalho Homem <gustavo@angulosolido.pt>
CC: stable <stable@kernel.org>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Diffstat (limited to 'fs/cifs')
| -rw-r--r-- | fs/cifs/connect.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index 63ea83ff687f..3bbcaa716b3c 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c | |||
| @@ -2287,12 +2287,12 @@ int | |||
| 2287 | cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb, | 2287 | cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb, |
| 2288 | char *mount_data_global, const char *devname) | 2288 | char *mount_data_global, const char *devname) |
| 2289 | { | 2289 | { |
| 2290 | int rc = 0; | 2290 | int rc; |
| 2291 | int xid; | 2291 | int xid; |
| 2292 | struct smb_vol *volume_info; | 2292 | struct smb_vol *volume_info; |
| 2293 | struct cifsSesInfo *pSesInfo = NULL; | 2293 | struct cifsSesInfo *pSesInfo; |
| 2294 | struct cifsTconInfo *tcon = NULL; | 2294 | struct cifsTconInfo *tcon; |
| 2295 | struct TCP_Server_Info *srvTcp = NULL; | 2295 | struct TCP_Server_Info *srvTcp; |
| 2296 | char *full_path; | 2296 | char *full_path; |
| 2297 | char *mount_data = mount_data_global; | 2297 | char *mount_data = mount_data_global; |
| 2298 | #ifdef CONFIG_CIFS_DFS_UPCALL | 2298 | #ifdef CONFIG_CIFS_DFS_UPCALL |
| @@ -2301,6 +2301,10 @@ cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb, | |||
| 2301 | int referral_walks_count = 0; | 2301 | int referral_walks_count = 0; |
| 2302 | try_mount_again: | 2302 | try_mount_again: |
| 2303 | #endif | 2303 | #endif |
| 2304 | rc = 0; | ||
| 2305 | tcon = NULL; | ||
| 2306 | pSesInfo = NULL; | ||
| 2307 | srvTcp = NULL; | ||
| 2304 | full_path = NULL; | 2308 | full_path = NULL; |
| 2305 | 2309 | ||
| 2306 | xid = GetXid(); | 2310 | xid = GetXid(); |
| @@ -2597,6 +2601,7 @@ remote_path_check: | |||
| 2597 | 2601 | ||
| 2598 | cleanup_volume_info(&volume_info); | 2602 | cleanup_volume_info(&volume_info); |
| 2599 | referral_walks_count++; | 2603 | referral_walks_count++; |
| 2604 | FreeXid(xid); | ||
| 2600 | goto try_mount_again; | 2605 | goto try_mount_again; |
| 2601 | } | 2606 | } |
| 2602 | #else /* No DFS support, return error on mount */ | 2607 | #else /* No DFS support, return error on mount */ |