From: Ronnie Sahlberg <lsahlber@redhat.com>
Date: Tue, 15 Dec 2020 22:51:33 +0000 (+1000)
Subject: cifs: fix use after free in cifs_smb3_do_mount()
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=6cf5abbfa8c8a2826d56e38ed1956a0e2f0c85b9;p=linux.git

cifs: fix use after free in cifs_smb3_do_mount()

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
---

diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index 4c9e12b468105..ce0d0037fd0af 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -854,12 +854,14 @@ cifs_smb3_do_mount(struct file_system_type *fs_type,
 	if (IS_ERR(sb)) {
 		root = ERR_CAST(sb);
 		cifs_umount(cifs_sb);
+		cifs_sb = NULL;
 		goto out;
 	}
 
 	if (sb->s_root) {
 		cifs_dbg(FYI, "Use existing superblock\n");
 		cifs_umount(cifs_sb);
+		cifs_sb = NULL;
 	} else {
 		rc = cifs_read_super(sb);
 		if (rc) {
@@ -870,7 +872,7 @@ cifs_smb3_do_mount(struct file_system_type *fs_type,
 		sb->s_flags |= SB_ACTIVE;
 	}
 
-	root = cifs_get_root(cifs_sb->ctx, sb);
+	root = cifs_get_root(cifs_sb ? cifs_sb->ctx : old_ctx, sb);
 	if (IS_ERR(root))
 		goto out_super;