• Jeff Layton's avatar
    cifs: don't allow cifs_reconnect to exit with NULL socket pointer · 7fdbaa1b
    Jeff Layton authored
    It's possible for the following set of events to happen:
    
    cifsd calls cifs_reconnect which reconnects the socket. A userspace
    process then calls cifs_negotiate_protocol to handle the NEGOTIATE and
    gets a reply. But, while processing the reply, cifsd calls
    cifs_reconnect again.  Eventually the GlobalMid_Lock is dropped and the
    reply from the earlier NEGOTIATE completes and the tcpStatus is set to
    CifsGood. cifs_reconnect then goes through and closes the socket and sets the
    pointer to zero, but because the status is now CifsGood, the new socket
    is not created and cifs_reconnect exits with the socket pointer set to
    NULL.
    
    Fix this by only setting the tcpStatus to CifsGood if the tcpStatus is
    CifsNeedNegotiate, and by making sure that generic_ip_connect is always
    called at least once in cifs_reconnect.
    
    Note that this is not a perfect fix for this issue. It's still possible
    that the NEGOTIATE reply is handled after the socket has been closed and
    reconnected. In that case, the socket state will look correct but it no
    NEGOTIATE was performed on it be for the wrong socket. In that situation
    though the server should just shut down the socket on the next attempted
    send, rather than causing the oops that occurs today.
    
    Cc: <stable@kernel.org> # .38.x: fd88ce93: [CIFS] cifs: clarify the meaning of tcpStatus == CifsGood
    Reported-and-Tested-by: default avatarBen Greear <greearb@candelatech.com>
    Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
    Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
    7fdbaa1b
connect.c 103 KB