[thirdparty/kernel/stable-queue.git] / queue-4.4 / ceph-fix-use-after-free-on-symlink-traversal.patch

From 0a17a064e10a590c45ffa66140fd6f6cd62149b2 Mon Sep 17 00:00:00 2001
From: Al Viro <viro@zeniv.linux.org.uk>
Date: Tue, 26 Mar 2019 01:38:58 +0000
Subject: ceph: fix use-after-free on symlink traversal

[ Upstream commit daf5cc27eed99afdea8d96e71b89ba41f5406ef6 ]

free the symlink body after the same RCU delay we have for freeing the
struct inode itself, so that traversal during RCU pathwalk wouldn't step
into freed memory.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
---
 fs/ceph/inode.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
index 9f0d99094cc1..a663b676d566 100644
--- a/fs/ceph/inode.c
+++ b/fs/ceph/inode.c
@@ -474,6 +474,7 @@ static void ceph_i_callback(struct rcu_head *head)
 	struct inode *inode = container_of(head, struct inode, i_rcu);
 	struct ceph_inode_info *ci = ceph_inode(inode);
 
+	kfree(ci->i_symlink);
 	kmem_cache_free(ceph_inode_cachep, ci);
 }
 
@@ -505,7 +506,6 @@ void ceph_destroy_inode(struct inode *inode)
 		ceph_put_snap_realm(mdsc, realm);
 	}
 
-	kfree(ci->i_symlink);
 	while ((n = rb_first(&ci->i_fragtree)) != NULL) {
 		frag = rb_entry(n, struct ceph_inode_frag, node);
 		rb_erase(n, &ci->i_fragtree);
-- 
2.19.1
Commit	Line	Data
dcd32332 SL	1	From 0a17a064e10a590c45ffa66140fd6f6cd62149b2 Mon Sep 17 00:00:00 2001
	2	From: Al Viro <viro@zeniv.linux.org.uk>
	3	Date: Tue, 26 Mar 2019 01:38:58 +0000
	4	Subject: ceph: fix use-after-free on symlink traversal
	5
	6	[ Upstream commit daf5cc27eed99afdea8d96e71b89ba41f5406ef6 ]
	7
	8	free the symlink body after the same RCU delay we have for freeing the
	9	struct inode itself, so that traversal during RCU pathwalk wouldn't step
	10	into freed memory.
	11
	12	Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
	13	Reviewed-by: Jeff Layton <jlayton@kernel.org>
	14	Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
	15	Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
	16	---
	17	fs/ceph/inode.c \| 2 +-
	18	1 file changed, 1 insertion(+), 1 deletion(-)
	19
	20	diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
	21	index 9f0d99094cc1..a663b676d566 100644
	22	--- a/fs/ceph/inode.c
	23	+++ b/fs/ceph/inode.c
	24	@@ -474,6 +474,7 @@ static void ceph_i_callback(struct rcu_head *head)
	25	struct inode *inode = container_of(head, struct inode, i_rcu);
	26	struct ceph_inode_info *ci = ceph_inode(inode);
	27
	28	+ kfree(ci->i_symlink);
	29	kmem_cache_free(ceph_inode_cachep, ci);
	30	}
	31
	32	@@ -505,7 +506,6 @@ void ceph_destroy_inode(struct inode *inode)
	33	ceph_put_snap_realm(mdsc, realm);
	34	}
	35
	36	- kfree(ci->i_symlink);
	37	while ((n = rb_first(&ci->i_fragtree)) != NULL) {
	38	frag = rb_entry(n, struct ceph_inode_frag, node);
	39	rb_erase(n, &ci->i_fragtree);
	40	--
	41	2.19.1
	42