]>
Commit | Line | Data |
---|---|---|
dcd32332 SL |
1 | From 0a17a064e10a590c45ffa66140fd6f6cd62149b2 Mon Sep 17 00:00:00 2001 |
2 | From: Al Viro <viro@zeniv.linux.org.uk> | |
3 | Date: Tue, 26 Mar 2019 01:38:58 +0000 | |
4 | Subject: ceph: fix use-after-free on symlink traversal | |
5 | ||
6 | [ Upstream commit daf5cc27eed99afdea8d96e71b89ba41f5406ef6 ] | |
7 | ||
8 | free the symlink body after the same RCU delay we have for freeing the | |
9 | struct inode itself, so that traversal during RCU pathwalk wouldn't step | |
10 | into freed memory. | |
11 | ||
12 | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> | |
13 | Reviewed-by: Jeff Layton <jlayton@kernel.org> | |
14 | Signed-off-by: Ilya Dryomov <idryomov@gmail.com> | |
15 | Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org> | |
16 | --- | |
17 | fs/ceph/inode.c | 2 +- | |
18 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
19 | ||
20 | diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c | |
21 | index 9f0d99094cc1..a663b676d566 100644 | |
22 | --- a/fs/ceph/inode.c | |
23 | +++ b/fs/ceph/inode.c | |
24 | @@ -474,6 +474,7 @@ static void ceph_i_callback(struct rcu_head *head) | |
25 | struct inode *inode = container_of(head, struct inode, i_rcu); | |
26 | struct ceph_inode_info *ci = ceph_inode(inode); | |
27 | ||
28 | + kfree(ci->i_symlink); | |
29 | kmem_cache_free(ceph_inode_cachep, ci); | |
30 | } | |
31 | ||
32 | @@ -505,7 +506,6 @@ void ceph_destroy_inode(struct inode *inode) | |
33 | ceph_put_snap_realm(mdsc, realm); | |
34 | } | |
35 | ||
36 | - kfree(ci->i_symlink); | |
37 | while ((n = rb_first(&ci->i_fragtree)) != NULL) { | |
38 | frag = rb_entry(n, struct ceph_inode_frag, node); | |
39 | rb_erase(n, &ci->i_fragtree); | |
40 | -- | |
41 | 2.19.1 | |
42 |