From: Dan Carpenter <dan.carpenter@oracle.com>
To: lsahlber@redhat.com
Cc: linux-cifs@vger.kernel.org
Subject: [bug report] cifs: add an smb3_fs_context to cifs_sb
Date: Tue, 15 Dec 2020 18:05:43 +0300 [thread overview]
Message-ID: <X9jQx1UL0vVELxC+@mwanda> (raw)
Hello Ronnie Sahlberg,
The patch d17abdf75665: "cifs: add an smb3_fs_context to cifs_sb"
from Nov 10, 2020, leads to the following static checker warning:
fs/cifs/cifsfs.c:876 cifs_smb3_do_mount()
error: double free of 'cifs_sb->prepath'
fs/cifs/cifsfs.c
813 rc = cifs_setup_cifs_sb(cifs_sb);
814 if (rc) {
815 root = ERR_PTR(rc);
816 goto out;
817 }
818
819 rc = cifs_mount(cifs_sb, cifs_sb->ctx);
820 if (rc) {
821 if (!(flags & SB_SILENT))
822 cifs_dbg(VFS, "cifs_mount failed w/return code = %d\n",
823 rc);
824 root = ERR_PTR(rc);
825 goto out;
826 }
827
828 mnt_data.ctx = cifs_sb->ctx;
829 mnt_data.cifs_sb = cifs_sb;
830 mnt_data.flags = flags;
831
832 /* BB should we make this contingent on mount parm? */
833 flags |= SB_NODIRATIME | SB_NOATIME;
834
835 sb = sget(fs_type, cifs_match_super, cifs_set_super, flags, &mnt_data);
836 if (IS_ERR(sb)) {
837 root = ERR_CAST(sb);
838 cifs_umount(cifs_sb);
cifs_umount() frees everything. Smatch doesn't catch some of it because
it happens in a delayed thread.
839 goto out;
840 }
841
842 if (sb->s_root) {
843 cifs_dbg(FYI, "Use existing superblock\n");
844 cifs_umount(cifs_sb);
^^^^^^^^^^^^^^^^^^^^
This frees "cifs_sb".
845 } else {
846 rc = cifs_read_super(sb);
847 if (rc) {
848 root = ERR_PTR(rc);
849 goto out_super;
850 }
851
852 sb->s_flags |= SB_ACTIVE;
853 }
854
855 root = cifs_get_root(cifs_sb->ctx, sb);
^^^^^^^^^^^^
So this is a use after free.
856 if (IS_ERR(root))
857 goto out_super;
858
859 cifs_dbg(FYI, "dentry root is: %p\n", root);
860 return root;
861
862 out_super:
863 deactivate_locked_super(sb);
864 out:
865 if (cifs_sb) {
866 kfree(cifs_sb->prepath);
867 smb3_cleanup_fs_context(cifs_sb->ctx);
868 kfree(cifs_sb);
All these three are double frees.
869 }
870 return root;
871 }
regards,
dan carpenter
reply other threads:[~2020-12-15 15:07 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=X9jQx1UL0vVELxC+@mwanda \
--to=dan.carpenter@oracle.com \
--cc=linux-cifs@vger.kernel.org \
--cc=lsahlber@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox