Hello Ronnie Sahlberg,
The patch d17abdf75665: "cifs: add an smb3_fs_context to cifs_sb"
from Nov 10, 2020, leads to the following static checker warning:
fs/cifs/cifsfs.c:876 cifs_smb3_do_mount()
error: double free of 'cifs_sb->prepath'
fs/cifs/cifsfs.c
813 rc = cifs_setup_cifs_sb(cifs_sb);
814 if (rc) {
815 root = ERR_PTR(rc);
816 goto out;
817 }
818
819 rc = cifs_mount(cifs_sb, cifs_sb->ctx);
820 if (rc) {
821 if (!(flags & SB_SILENT))
822 cifs_dbg(VFS, "cifs_mount failed w/return code = %d\n",
823 rc);
824 root = ERR_PTR(rc);
825 goto out;
826 }
827
828 mnt_data.ctx = cifs_sb->ctx;
829 mnt_data.cifs_sb = cifs_sb;
830 mnt_data.flags = flags;
831
832 /* BB should we make this contingent on mount parm? */
833 flags |= SB_NODIRATIME | SB_NOATIME;
834
835 sb = sget(fs_type, cifs_match_super, cifs_set_super, flags, &mnt_data);
836 if (IS_ERR(sb)) {
837 root = ERR_CAST(sb);
838 cifs_umount(cifs_sb);
cifs_umount() frees everything. Smatch doesn't catch some of it because
it happens in a delayed thread.
839 goto out;
840 }
841
842 if (sb->s_root) {
843 cifs_dbg(FYI, "Use existing superblock\n");
844 cifs_umount(cifs_sb);
^^^^^^^^^^^^^^^^^^^^
This frees "cifs_sb".
845 } else {
846 rc = cifs_read_super(sb);
847 if (rc) {
848 root = ERR_PTR(rc);
849 goto out_super;
850 }
851
852 sb->s_flags |= SB_ACTIVE;
853 }
854
855 root = cifs_get_root(cifs_sb->ctx, sb);
^^^^^^^^^^^^
So this is a use after free.
856 if (IS_ERR(root))
857 goto out_super;
858
859 cifs_dbg(FYI, "dentry root is: %p\n", root);
860 return root;
861
862 out_super:
863 deactivate_locked_super(sb);
864 out:
865 if (cifs_sb) {
866 kfree(cifs_sb->prepath);
867 smb3_cleanup_fs_context(cifs_sb->ctx);
868 kfree(cifs_sb);
All these three are double frees.
869 }
870 return root;
871 }
regards,
dan carpenter
