Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 544417

Summary: cifs: possible NULL pointer dereference in mount-time DFS referral chasing code
Product: Red Hat Enterprise Linux 5 Reporter: Jeff Layton <jlayton>
Component: kernelAssignee: Jeff Layton <jlayton>
Status: CLOSED ERRATA QA Contact: Red Hat Kernel QE team <kernel-qe>
Severity: medium Docs Contact:
Priority: high    
Version: 5.5CC: rwheeler, steved, yanwang
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 545984 (view as bug list) Environment:
Last Closed: 2010-03-30 07:18:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 526950, 545984    
Attachments:
Description Flags
patch -- zero out relevant pointers before chasing DFS referral none

Description Jeff Layton 2009-12-04 20:28:46 UTC 
Created attachment 376194 [details]
patch -- zero out relevant pointers before chasing DFS referral

The upstream mailing list got a report of some oopses when attempting to chase a DFS referral at mount time if net connectivity to the referral target was spotty.

After some code analysis, I came up with the attached patch that's being pushed to -stable. I think we want the same patch in 5.5.

The upstream thread on this starts here:

http://lists.samba.org/archive/linux-cifs-client/2009-December/005428.html
Comment 1 RHEL Program Management 2009-12-04 20:51:56 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 2 Jeff Layton 2009-12-07 13:14:58 UTC 
This is reproducible:

Basically you need 2 SMB servers, one has a DFS referral that points to the other server. You'll need an account on the first server (the referrer) but be unable to log into the second server (the referee) with the same account.

Try to mount the DFS referral and it will fail with EPERM or something similar. The cifsd kernel thread will still be running however and can't be shut down. What happens in this situation is that a new pSesInfo pointer is allocated on top of the old one, but in the cleanup phase that isn't put. Instead, the old tcon pointer is put again, which corrupts memory and leaves the new SMB and TCP sessions dangling.
Comment 4 Don Zickus 2009-12-11 19:32:04 UTC 
in kernel-2.6.18-179.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Please update the appropriate value in the Verified field
(cf_verified) to indicate this fix has been successfully
verified. Include a comment with verification details.
Comment 6 yanfu,wang 2010-02-21 05:21:34 UTC 
hard to reproduce,only do code review
Comment 8 errata-xmlrpc 2010-03-30 07:18:28 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2010-0178.html