From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mx2.suse.de ([195.135.220.15]:60705 "EHLO mx2.suse.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1947105AbcHRMuW (ORCPT <rfc822;stable@vger.kernel.org>);
	Thu, 18 Aug 2016 08:50:22 -0400
From: Jiri Slaby <jslaby@suse.cz>
To: stable@vger.kernel.org
Cc: Sachin Prabhu <sprabhu@redhat.com>,
	Steve French <smfrench@gmail.com>, Jiri Slaby <jslaby@suse.cz>
Subject: [patch added to 3.12-stable] cifs: Check for existing directory when opening file with O_CREAT
Date: Thu, 18 Aug 2016 14:49:42 +0200
Message-Id: <20160818124953.31969-37-jslaby@suse.cz>
In-Reply-To: <20160818124953.31969-1-jslaby@suse.cz>
References: <20160818124953.31969-1-jslaby@suse.cz>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

From: Sachin Prabhu <sprabhu@redhat.com>

This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.

===============

commit 8d9535b6efd86e6c07da59f97e68f44efb7fe080 upstream.

When opening a file with O_CREAT flag, check to see if the file opened
is an existing directory.

This prevents the directory from being opened which subsequently causes
a crash when the close function for directories cifs_closedir() is called
which frees up the file->private_data memory while the file is still
listed on the open file list for the tcon.

Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Reported-by: Xiaoli Feng <xifeng@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
 fs/cifs/dir.c | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
index f039c23d003d..7347f1678fa7 100644
--- a/fs/cifs/dir.c
+++ b/fs/cifs/dir.c
@@ -229,6 +229,13 @@ cifs_do_create(struct inode *inode, struct dentry *direntry, unsigned int xid,
 				goto cifs_create_get_file_info;
 			}
 
+			if (S_ISDIR(newinode->i_mode)) {
+				CIFSSMBClose(xid, tcon, fid->netfid);
+				iput(newinode);
+				rc = -EISDIR;
+				goto out;
+			}
+
 			if (!S_ISREG(newinode->i_mode)) {
 				/*
 				 * The server may allow us to open things like
@@ -399,10 +406,14 @@ cifs_create_set_dentry:
 	if (rc != 0) {
 		cifs_dbg(FYI, "Create worked, get_inode_info failed rc = %d\n",
 			 rc);
-		if (server->ops->close)
-			server->ops->close(xid, tcon, fid);
-		goto out;
+		goto out_err;
 	}
+
+	if (S_ISDIR(newinode->i_mode)) {
+		rc = -EISDIR;
+		goto out_err;
+	}
+
 	d_drop(direntry);
 	d_add(direntry, newinode);
 
@@ -410,6 +421,13 @@ out:
 	kfree(buf);
 	kfree(full_path);
 	return rc;
+
+out_err:
+	if (server->ops->close)
+		server->ops->close(xid, tcon, fid);
+	if (newinode)
+		iput(newinode);
+	goto out;
 }
 
 int
-- 
2.9.3