The patch titled
smbfs: double free memory corruption
has been removed from the -mm tree. Its filename was
smbfs-double-free-memory-corruption.patch
This patch was dropped because it was merged into mainline or a subsystem tree
------------------------------------------------------
Subject: smbfs: double free memory corruption
From: Vasily Averin <vvs@xxxxx>
smbfs allocates rq_trans2buffer to handle server's multi transaction2 response
messages. As struct smb_request may be reused, rq_trans2buffer is freed
before each new request. However if last servers's response is not multi but
single trans2 message then new rq_trans2buffer is not allocated but last
smb_rput still tries to free it again.
To prevent this issue rq_trans2buffer pointer should be set to NULL after
kfree.
Signed-off-by: Vasily Averin <vvs@xxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
fs/smbfs/request.c | 1 +
1 file changed, 1 insertion(+)
diff -puN fs/smbfs/request.c~smbfs-double-free-memory-corruption fs/smbfs/request.c
--- a/fs/smbfs/request.c~smbfs-double-free-memory-corruption
+++ a/fs/smbfs/request.c
@@ -181,6 +181,7 @@ static int smb_setup_request(struct smb_
req->rq_errno = 0;
req->rq_fragment = 0;
kfree(req->rq_trans2buffer);
+ req->rq_trans2buffer = NULL;
return 0;
}
_
Patches currently in -mm which might be from vvs@xxxxx are
origin.patch
-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
