Created attachment 376194 [details] patch -- zero out relevant pointers before chasing DFS referral The upstream mailing list got a report of some oopses when attempting to chase a DFS referral at mount time if net connectivity to the referral target was spotty. After some code analysis, I came up with the attached patch that's being pushed to -stable. I think we want the same patch in 5.5. The upstream thread on this starts here: http://lists.samba.org/archive/linux-cifs-client/2009-December/005428.html
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
This is reproducible: Basically you need 2 SMB servers, one has a DFS referral that points to the other server. You'll need an account on the first server (the referrer) but be unable to log into the second server (the referee) with the same account. Try to mount the DFS referral and it will fail with EPERM or something similar. The cifsd kernel thread will still be running however and can't be shut down. What happens in this situation is that a new pSesInfo pointer is allocated on top of the old one, but in the cleanup phase that isn't put. Instead, the old tcon pointer is put again, which corrupts memory and leaves the new SMB and TCP sessions dangling.
in kernel-2.6.18-179.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5 Please update the appropriate value in the Verified field (cf_verified) to indicate this fix has been successfully verified. Include a comment with verification details.
hard to reproduce,only do code review
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2010-0178.html