From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:57492 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753835AbcHRJik (ORCPT ); Thu, 18 Aug 2016 05:38:40 -0400 Subject: Patch "cifs: Check for existing directory when opening file with O_CREAT" has been added to the 4.7-stable tree To: sprabhu@redhat.com, gregkh@linuxfoundation.org, smfrench@gmail.com, xifeng@redhat.com Cc: , From: Date: Thu, 18 Aug 2016 11:37:45 +0200 Message-ID: <1471513065230213@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled cifs: Check for existing directory when opening file with O_CREAT to the 4.7-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: cifs-check-for-existing-directory-when-opening-file-with-o_creat.patch and it can be found in the queue-4.7 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From 8d9535b6efd86e6c07da59f97e68f44efb7fe080 Mon Sep 17 00:00:00 2001 From: Sachin Prabhu Date: Thu, 7 Jul 2016 21:28:27 +0100 Subject: cifs: Check for existing directory when opening file with O_CREAT From: Sachin Prabhu commit 8d9535b6efd86e6c07da59f97e68f44efb7fe080 upstream. When opening a file with O_CREAT flag, check to see if the file opened is an existing directory. This prevents the directory from being opened which subsequently causes a crash when the close function for directories cifs_closedir() is called which frees up the file->private_data memory while the file is still listed on the open file list for the tcon. Signed-off-by: Sachin Prabhu Signed-off-by: Steve French Reported-by: Xiaoli Feng Signed-off-by: Greg Kroah-Hartman --- fs/cifs/dir.c | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) --- a/fs/cifs/dir.c +++ b/fs/cifs/dir.c @@ -245,6 +245,13 @@ cifs_do_create(struct inode *inode, stru goto cifs_create_get_file_info; } + if (S_ISDIR(newinode->i_mode)) { + CIFSSMBClose(xid, tcon, fid->netfid); + iput(newinode); + rc = -EISDIR; + goto out; + } + if (!S_ISREG(newinode->i_mode)) { /* * The server may allow us to open things like @@ -415,10 +422,14 @@ cifs_create_set_dentry: if (rc != 0) { cifs_dbg(FYI, "Create worked, get_inode_info failed rc = %d\n", rc); - if (server->ops->close) - server->ops->close(xid, tcon, fid); - goto out; + goto out_err; } + + if (S_ISDIR(newinode->i_mode)) { + rc = -EISDIR; + goto out_err; + } + d_drop(direntry); d_add(direntry, newinode); @@ -426,6 +437,13 @@ out: kfree(buf); kfree(full_path); return rc; + +out_err: + if (server->ops->close) + server->ops->close(xid, tcon, fid); + if (newinode) + iput(newinode); + goto out; } int Patches currently in stable-queue which might be from sprabhu@redhat.com are queue-4.7/cifs-check-for-existing-directory-when-opening-file-with-o_creat.patch queue-4.7/cifs-unbreak-tcp-session-reuse.patch queue-4.7/cifs-fix-crash-due-to-race-in-hmac-md5-handling.patch