1 files changed, 24 insertions, 13 deletions
diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
index 72e99ece78cf..24f0a9d97ad8 100644
--- a/fs/cifs/misc.c
+++ b/fs/cifs/misc.c
@@ -236,10 +236,7 @@ __u16 GetNextMid(struct TCP_Server_Info *server)
 {
        __u16 mid = 0;
        __u16 last_mid;
-        int   collision;
+        bool collision;
-        if (server == NULL)
-                return mid;
        spin_lock(&GlobalMid_Lock);
        last_mid = server->CurrentMid; /* we do not want to loop forever */
@@ -252,24 +249,38 @@ __u16 GetNextMid(struct TCP_Server_Info *server)
        (and it would also have to have been a request that
         did not time out) */
        while (server->CurrentMid != last_mid) {
-                struct list_head *tmp;
                struct mid_q_entry *mid_entry;
+                unsigned int num_mids;
-                collision = 0;
+                collision = false;
                if (server->CurrentMid == 0)
                        server->CurrentMid++;
-                list_for_each(tmp, &server->pending_mid_q) {
+                num_mids = 0;
-                        mid_entry = list_entry(tmp, struct mid_q_entry, qhead);
+                list_for_each_entry(mid_entry, &server->pending_mid_q, qhead) {
+                        ++num_mids;
-                        if ((mid_entry->mid == server->CurrentMid) &&
+                        if (mid_entry->mid == server->CurrentMid &&
-                            (mid_entry->midState == MID_REQUEST_SUBMITTED)) {
+                            mid_entry->midState == MID_REQUEST_SUBMITTED) {
                                /* This mid is in use, try a different one */
-                                collision = 1;
+                                collision = true;
                                break;
                        }
                }
-                if (collision == 0) {
+                /*
+                 * if we have more than 32k mids in the list, then something
+                 * is very wrong. Possibly a local user is trying to DoS the
+                 * box by issuing long-running calls and SIGKILL'ing them. If
+                 * we get to 2^16 mids then we're in big trouble as this
+                 * function could loop forever.
+                 *
+                 * Go ahead and assign out the mid in this situation, but force
+                 * an eventual reconnect to clean out the pending_mid_q.
+                 */
+                if (num_mids > 32768)
+                        server->tcpStatus = CifsNeedReconnect;
+                if (!collision) {
                        mid = server->CurrentMid;
                        break;
                }

diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c index 72e99ece78cf..24f0a9d97ad8 100644 --- a/fs/cifs/misc.c +++ b/fs/cifs/misc.c
@@ -236,10 +236,7 @@ __u16 GetNextMid(struct TCP_Server_Info *server)
236	{	236	{
237	__u16 mid = 0;	237	__u16 mid = 0;
238	__u16 last_mid;	238	__u16 last_mid;
239	int collision;	239	bool collision;
240
241	if (server == NULL)
242	return mid;
243		240
244	spin_lock(&GlobalMid_Lock);	241	spin_lock(&GlobalMid_Lock);
245	last_mid = server->CurrentMid; /* we do not want to loop forever */	242	last_mid = server->CurrentMid; /* we do not want to loop forever */
@@ -252,24 +249,38 @@ __u16 GetNextMid(struct TCP_Server_Info *server)
252	(and it would also have to have been a request that	249	(and it would also have to have been a request that
253	did not time out) */	250	did not time out) */
254	while (server->CurrentMid != last_mid) {	251	while (server->CurrentMid != last_mid) {
255	struct list_head *tmp;
256	struct mid_q_entry *mid_entry;	252	struct mid_q_entry *mid_entry;
		253	unsigned int num_mids;
257		254
258	collision = 0;	255	collision = false;
259	if (server->CurrentMid == 0)	256	if (server->CurrentMid == 0)
260	server->CurrentMid++;	257	server->CurrentMid++;
261		258
262	list_for_each(tmp, &server->pending_mid_q) {	259	num_mids = 0;
263	mid_entry = list_entry(tmp, struct mid_q_entry, qhead);	260	list_for_each_entry(mid_entry, &server->pending_mid_q, qhead) {
264		261	++num_mids;
265	if ((mid_entry->mid == server->CurrentMid) &&	262	if (mid_entry->mid == server->CurrentMid &&
266	(mid_entry->midState == MID_REQUEST_SUBMITTED)) {	263	mid_entry->midState == MID_REQUEST_SUBMITTED) {
267	/* This mid is in use, try a different one */	264	/* This mid is in use, try a different one */
268	collision = 1;	265	collision = true;
269	break;	266	break;
270	}	267	}
271	}	268	}
272	if (collision == 0) {	269
		270	/*
		271	* if we have more than 32k mids in the list, then something
		272	* is very wrong. Possibly a local user is trying to DoS the
		273	* box by issuing long-running calls and SIGKILL'ing them. If
		274	* we get to 2^16 mids then we're in big trouble as this
		275	* function could loop forever.
		276	*
		277	* Go ahead and assign out the mid in this situation, but force
		278	* an eventual reconnect to clean out the pending_mid_q.
		279	*/
		280	if (num_mids > 32768)
		281	server->tcpStatus = CifsNeedReconnect;
		282
		283	if (!collision) {
273	mid = server->CurrentMid;	284	mid = server->CurrentMid;
274	break;	285	break;
275	}	286	}