diff options
| author | Pavel Shilovsky <pshilovsky@samba.org> | 2012-05-31 05:03:26 -0400 |
|---|---|---|
| committer | Steve French <sfrench@us.ibm.com> | 2012-06-01 13:35:08 -0400 |
| commit | 0013fb4ca3171c64a4a5d3851fb591bb575e7f04 (patch) | |
| tree | e324f2926e2e920bb7355ee8dc79a09df60342cf /fs | |
| parent | 51eab603f5c86dd1eae4c525df3e7f7eeab401d6 (diff) | |
CIFS: Fix possible wrong memory allocation
when cifs_reconnect sets maxBuf to 0 and we try to calculate a size
of memory we need to store locks.
Signed-off-by: Pavel Shilovsky <pshilovsky@samba.org>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/cifs/file.c | 31 |
1 files changed, 25 insertions, 6 deletions
diff --git a/fs/cifs/file.c b/fs/cifs/file.c index 253170dfa716..de8abb6f7b56 100644 --- a/fs/cifs/file.c +++ b/fs/cifs/file.c | |||
| @@ -876,7 +876,7 @@ cifs_push_mandatory_locks(struct cifsFileInfo *cfile) | |||
| 876 | struct cifsLockInfo *li, *tmp; | 876 | struct cifsLockInfo *li, *tmp; |
| 877 | struct cifs_tcon *tcon; | 877 | struct cifs_tcon *tcon; |
| 878 | struct cifsInodeInfo *cinode = CIFS_I(cfile->dentry->d_inode); | 878 | struct cifsInodeInfo *cinode = CIFS_I(cfile->dentry->d_inode); |
| 879 | unsigned int num, max_num; | 879 | unsigned int num, max_num, max_buf; |
| 880 | LOCKING_ANDX_RANGE *buf, *cur; | 880 | LOCKING_ANDX_RANGE *buf, *cur; |
| 881 | int types[] = {LOCKING_ANDX_LARGE_FILES, | 881 | int types[] = {LOCKING_ANDX_LARGE_FILES, |
| 882 | LOCKING_ANDX_SHARED_LOCK | LOCKING_ANDX_LARGE_FILES}; | 882 | LOCKING_ANDX_SHARED_LOCK | LOCKING_ANDX_LARGE_FILES}; |
| @@ -892,8 +892,19 @@ cifs_push_mandatory_locks(struct cifsFileInfo *cfile) | |||
| 892 | return rc; | 892 | return rc; |
| 893 | } | 893 | } |
| 894 | 894 | ||
| 895 | max_num = (tcon->ses->server->maxBuf - sizeof(struct smb_hdr)) / | 895 | /* |
| 896 | sizeof(LOCKING_ANDX_RANGE); | 896 | * Accessing maxBuf is racy with cifs_reconnect - need to store value |
| 897 | * and check it for zero before using. | ||
| 898 | */ | ||
| 899 | max_buf = tcon->ses->server->maxBuf; | ||
| 900 | if (!max_buf) { | ||
| 901 | mutex_unlock(&cinode->lock_mutex); | ||
| 902 | FreeXid(xid); | ||
| 903 | return -EINVAL; | ||
| 904 | } | ||
| 905 | |||
| 906 | max_num = (max_buf - sizeof(struct smb_hdr)) / | ||
| 907 | sizeof(LOCKING_ANDX_RANGE); | ||
| 897 | buf = kzalloc(max_num * sizeof(LOCKING_ANDX_RANGE), GFP_KERNEL); | 908 | buf = kzalloc(max_num * sizeof(LOCKING_ANDX_RANGE), GFP_KERNEL); |
| 898 | if (!buf) { | 909 | if (!buf) { |
| 899 | mutex_unlock(&cinode->lock_mutex); | 910 | mutex_unlock(&cinode->lock_mutex); |
| @@ -1218,7 +1229,7 @@ cifs_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock, int xid) | |||
| 1218 | int types[] = {LOCKING_ANDX_LARGE_FILES, | 1229 | int types[] = {LOCKING_ANDX_LARGE_FILES, |
| 1219 | LOCKING_ANDX_SHARED_LOCK | LOCKING_ANDX_LARGE_FILES}; | 1230 | LOCKING_ANDX_SHARED_LOCK | LOCKING_ANDX_LARGE_FILES}; |
| 1220 | unsigned int i; | 1231 | unsigned int i; |
| 1221 | unsigned int max_num, num; | 1232 | unsigned int max_num, num, max_buf; |
| 1222 | LOCKING_ANDX_RANGE *buf, *cur; | 1233 | LOCKING_ANDX_RANGE *buf, *cur; |
| 1223 | struct cifs_tcon *tcon = tlink_tcon(cfile->tlink); | 1234 | struct cifs_tcon *tcon = tlink_tcon(cfile->tlink); |
| 1224 | struct cifsInodeInfo *cinode = CIFS_I(cfile->dentry->d_inode); | 1235 | struct cifsInodeInfo *cinode = CIFS_I(cfile->dentry->d_inode); |
| @@ -1228,8 +1239,16 @@ cifs_unlock_range(struct cifsFileInfo *cfile, struct file_lock *flock, int xid) | |||
| 1228 | 1239 | ||
| 1229 | INIT_LIST_HEAD(&tmp_llist); | 1240 | INIT_LIST_HEAD(&tmp_llist); |
| 1230 | 1241 | ||
| 1231 | max_num = (tcon->ses->server->maxBuf - sizeof(struct smb_hdr)) / | 1242 | /* |
| 1232 | sizeof(LOCKING_ANDX_RANGE); | 1243 | * Accessing maxBuf is racy with cifs_reconnect - need to store value |
| 1244 | * and check it for zero before using. | ||
| 1245 | */ | ||
| 1246 | max_buf = tcon->ses->server->maxBuf; | ||
| 1247 | if (!max_buf) | ||
| 1248 | return -EINVAL; | ||
| 1249 | |||
| 1250 | max_num = (max_buf - sizeof(struct smb_hdr)) / | ||
| 1251 | sizeof(LOCKING_ANDX_RANGE); | ||
| 1233 | buf = kzalloc(max_num * sizeof(LOCKING_ANDX_RANGE), GFP_KERNEL); | 1252 | buf = kzalloc(max_num * sizeof(LOCKING_ANDX_RANGE), GFP_KERNEL); |
| 1234 | if (!buf) | 1253 | if (!buf) |
| 1235 | return -ENOMEM; | 1254 | return -ENOMEM; |