merged into cifs-2.6.git for-next On Fri, Jul 31, 2020 at 12:15 PM Colin King <colin.king@xxxxxxxxxxxxx> wrote: > > From: Colin Ian King <colin.king@xxxxxxxxxxxxx> > > Currently if the call dfs_cache_get_tgt_share fails we cannot > fully guarantee that share and prefix are set to NULL and the > next iteration of the loop can end up potentially double freeing > these pointers. Since the semantics of dfs_cache_get_tgt_share > are ambiguous for failure cases with the setting of share and > prefix (currently now and the possibly the future), it seems > prudent to set the pointers to NULL when the objects are > free'd to avoid any double frees. > > Addresses-Coverity: ("Double free") > Fixes: 96296c946a2a ("cifs: handle RESP_GET_DFS_REFERRAL.PathConsumed in reconnect") > Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx> > --- > fs/cifs/connect.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c > index 3c4dd4e1b9eb..4b2f5f5b3a8e 100644 > --- a/fs/cifs/connect.c > +++ b/fs/cifs/connect.c > @@ -5574,6 +5574,8 @@ int cifs_tree_connect(const unsigned int xid, struct cifs_tcon *tcon, const stru > > kfree(share); > kfree(prefix); > + share = NULL; > + prefix = NULL; > > rc = dfs_cache_get_tgt_share(tcon->dfs_path + 1, it, &share, &prefix); > if (rc) { > -- > 2.27.0 > -- Thanks, Steve