Hi Shyam
That is a really good analysis.
After we have called deactivate_locked_super() which will eventually
call delayed_free()
we should not explicitely try to do the same work as delayed_free()
already does.
I think we should simply add a return root; after the call to
deactivate_locked_super(), like this:
out_super:
deactivate_locked_super(sb);
return root;
out:
...
regards
ronnie sahlberg
On Fri, Feb 11, 2022 at 12:24 AM Shyam Prasad N <nspmangalore@xxxxxxxxx> wrote:
>
> Hi David/Steve/Ronnie,
>
> I hit a "double free or use after free" kasan warning today when I was
> running some test.
> Attached the warnings.
>
> It looks to me like one of the issues is this:
> In cifs_smb3_do_mount, we call deactivate_locked_super when we fail to
> get a ref to the root dentry.
> deactivate_locked_super calls cifs_umount which frees the fs_context and sb.
> Then, we later go on to free these again:
> out_super:
> deactivate_locked_super(sb);
> out:
> if (cifs_sb) {
> kfree(cifs_sb->prepath);
> smb3_cleanup_fs_context(cifs_sb->ctx);
> kfree(cifs_sb);
> }
> return root;
>
> I don't know if the rest of the warnings are related. Please check.
>
> --
> Regards,
> Shyam
