We've had a number of panics reported by people using cifs mounts on F15. See the following reported bugs:
727927 731278 732934
I'd like to see both of the following patches added to 2.6.40.3 and above until they make it into the stable series. The second may also be appropriate for F16, but it may be simpler to just wait for the stable series to catch up there.
The patches are pretty straightforward fixes, let me know if anything with them isn't clear.
Pavel Shilovsky (1): CIFS: Fix ERR_PTR dereference in cifs_get_root
Steve French (1): [CIFS] possible memory corruption on mount
fs/cifs/cifsfs.c | 10 ++++++---- fs/cifs/connect.c | 3 ++- 2 files changed, 8 insertions(+), 5 deletions(-)
From: Steve French sfrench@us.ibm.com
CIFS cleanup_volume_info_contents() looks like having a memory corruption problem. When UNCip is set to "&vol->UNC[2]" in cifs_parse_mount_options(), it should not be kfree()-ed in cleanup_volume_info_contents().
Introduced in commit b946845a9dc523c759cae2b6a0f6827486c3221a
Signed-off-by: J.R. Okajima hooanon05@yahoo.co.jp Reviewed-by: Jeff Layton jlayton@redhat.com CC: Stable stable@kernel.org Signed-off-by: Steve French sfrench@us.ibm.com --- fs/cifs/connect.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index ccc1afa..e0ea721 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -2838,7 +2838,8 @@ cleanup_volume_info_contents(struct smb_vol *volume_info) kfree(volume_info->username); kzfree(volume_info->password); kfree(volume_info->UNC); - kfree(volume_info->UNCip); + if (volume_info->UNCip != volume_info->UNC + 2) + kfree(volume_info->UNCip); kfree(volume_info->domainname); kfree(volume_info->iocharset); kfree(volume_info->prepath);
From: Pavel Shilovsky piastryyy@gmail.com
move it to the beginning of the loop.
Cc: stable@kernel.org Signed-off-by: Pavel Shilovsky piastryyy@gmail.com Reviewed-by: Jeff Layton jlayton@redhat.com --- fs/cifs/cifsfs.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c index fc7e57b..53e7d72 100644 --- a/fs/cifs/cifsfs.c +++ b/fs/cifs/cifsfs.c @@ -566,6 +566,12 @@ cifs_get_root(struct smb_vol *vol, struct super_block *sb) struct inode *dir = dentry->d_inode; struct dentry *child;
+ if (!dir) { + dput(dentry); + dentry = ERR_PTR(-ENOENT); + break; + } + /* skip separators */ while (*s == sep) s++; @@ -581,10 +587,6 @@ cifs_get_root(struct smb_vol *vol, struct super_block *sb) mutex_unlock(&dir->i_mutex); dput(dentry); dentry = child; - if (!dentry->d_inode) { - dput(dentry); - dentry = ERR_PTR(-ENOENT); - } } while (!IS_ERR(dentry)); _FreeXid(xid); kfree(full_path);
kernel@lists.fedoraproject.org