| Message ID | 20201215225133.20378-1-lsahlber@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | cifs: fix use after free in cifs_smb3_do_mount() | expand |
merged into cifs-2.6.git for-next to address the issue Dan pointed out. On Tue, Dec 15, 2020 at 4:51 PM Ronnie Sahlberg <lsahlber@redhat.com> wrote: > > Reported-by: Dan Carpenter <dan.carpenter@oracle.com> > Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com> > --- > fs/cifs/cifsfs.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c > index 4c385eeecc05..2c6e54fa6429 100644 > --- a/fs/cifs/cifsfs.c > +++ b/fs/cifs/cifsfs.c > @@ -836,12 +836,14 @@ cifs_smb3_do_mount(struct file_system_type *fs_type, > if (IS_ERR(sb)) { > root = ERR_CAST(sb); > cifs_umount(cifs_sb); > + cifs_sb = NULL; > goto out; > } > > if (sb->s_root) { > cifs_dbg(FYI, "Use existing superblock\n"); > cifs_umount(cifs_sb); > + cifs_sb = NULL; > } else { > rc = cifs_read_super(sb); > if (rc) { > @@ -852,7 +854,7 @@ cifs_smb3_do_mount(struct file_system_type *fs_type, > sb->s_flags |= SB_ACTIVE; > } > > - root = cifs_get_root(cifs_sb->ctx, sb); > + root = cifs_get_root(cifs_sb ? cifs_sb->ctx : old_ctx, sb); > if (IS_ERR(root)) > goto out_super; > > -- > 2.13.6 >
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c index 4c385eeecc05..2c6e54fa6429 100644 --- a/fs/cifs/cifsfs.c +++ b/fs/cifs/cifsfs.c @@ -836,12 +836,14 @@ cifs_smb3_do_mount(struct file_system_type *fs_type, if (IS_ERR(sb)) { root = ERR_CAST(sb); cifs_umount(cifs_sb); + cifs_sb = NULL; goto out; } if (sb->s_root) { cifs_dbg(FYI, "Use existing superblock\n"); cifs_umount(cifs_sb); + cifs_sb = NULL; } else { rc = cifs_read_super(sb); if (rc) { @@ -852,7 +854,7 @@ cifs_smb3_do_mount(struct file_system_type *fs_type, sb->s_flags |= SB_ACTIVE; } - root = cifs_get_root(cifs_sb->ctx, sb); + root = cifs_get_root(cifs_sb ? cifs_sb->ctx : old_ctx, sb); if (IS_ERR(root)) goto out_super;
Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com> --- fs/cifs/cifsfs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)