[thirdparty/kernel/stable-queue.git] / queue-4.4 / jffs2-fix-use-after-free-on-symlink-traversal.patch

From 2a6e6ca03f91565b6458df29edeb2334f6081938 Mon Sep 17 00:00:00 2001
From: Al Viro <viro@zeniv.linux.org.uk>
Date: Tue, 26 Mar 2019 01:39:50 +0000
Subject: jffs2: fix use-after-free on symlink traversal

[ Upstream commit 4fdcfab5b5537c21891e22e65996d4d0dd8ab4ca ]

free the symlink body after the same RCU delay we have for freeing the
struct inode itself, so that traversal during RCU pathwalk wouldn't step
into freed memory.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/jffs2/readinode.c | 5 -----
 fs/jffs2/super.c     | 5 ++++-
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/fs/jffs2/readinode.c b/fs/jffs2/readinode.c
index bfebbf13698c..5b52ea41b84f 100644
--- a/fs/jffs2/readinode.c
+++ b/fs/jffs2/readinode.c
@@ -1414,11 +1414,6 @@ void jffs2_do_clear_inode(struct jffs2_sb_info *c, struct jffs2_inode_info *f)
 
 	jffs2_kill_fragtree(&f->fragtree, deleted?c:NULL);
 
-	if (f->target) {
-		kfree(f->target);
-		f->target = NULL;
-	}
-
 	fds = f->dents;
 	while(fds) {
 		fd = fds;
diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c
index 023e7f32ee1b..9fc297df8c75 100644
--- a/fs/jffs2/super.c
+++ b/fs/jffs2/super.c
@@ -47,7 +47,10 @@ static struct inode *jffs2_alloc_inode(struct super_block *sb)
 static void jffs2_i_callback(struct rcu_head *head)
 {
 	struct inode *inode = container_of(head, struct inode, i_rcu);
-	kmem_cache_free(jffs2_inode_cachep, JFFS2_INODE_INFO(inode));
+	struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
+
+	kfree(f->target);
+	kmem_cache_free(jffs2_inode_cachep, f);
 }
 
 static void jffs2_destroy_inode(struct inode *inode)
-- 
2.20.1
Commit	Line	Data
288d6f25 SL	1	From 2a6e6ca03f91565b6458df29edeb2334f6081938 Mon Sep 17 00:00:00 2001
	2	From: Al Viro <viro@zeniv.linux.org.uk>
	3	Date: Tue, 26 Mar 2019 01:39:50 +0000
	4	Subject: jffs2: fix use-after-free on symlink traversal
	5
	6	[ Upstream commit 4fdcfab5b5537c21891e22e65996d4d0dd8ab4ca ]
	7
	8	free the symlink body after the same RCU delay we have for freeing the
	9	struct inode itself, so that traversal during RCU pathwalk wouldn't step
	10	into freed memory.
	11
	12	Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
	13	Signed-off-by: Sasha Levin <sashal@kernel.org>
	14	---
	15	fs/jffs2/readinode.c \| 5 -----
	16	fs/jffs2/super.c \| 5 ++++-
	17	2 files changed, 4 insertions(+), 6 deletions(-)
	18
	19	diff --git a/fs/jffs2/readinode.c b/fs/jffs2/readinode.c
	20	index bfebbf13698c..5b52ea41b84f 100644
	21	--- a/fs/jffs2/readinode.c
	22	+++ b/fs/jffs2/readinode.c
	23	@@ -1414,11 +1414,6 @@ void jffs2_do_clear_inode(struct jffs2_sb_info c, struct jffs2_inode_info f)
	24
	25	jffs2_kill_fragtree(&f->fragtree, deleted?c:NULL);
	26
	27	- if (f->target) {
	28	- kfree(f->target);
	29	- f->target = NULL;
	30	- }
	31	-
	32	fds = f->dents;
	33	while(fds) {
	34	fd = fds;
	35	diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c
	36	index 023e7f32ee1b..9fc297df8c75 100644
	37	--- a/fs/jffs2/super.c
	38	+++ b/fs/jffs2/super.c
	39	@@ -47,7 +47,10 @@ static struct inode jffs2_alloc_inode(struct super_block sb)
	40	static void jffs2_i_callback(struct rcu_head *head)
	41	{
	42	struct inode *inode = container_of(head, struct inode, i_rcu);
	43	- kmem_cache_free(jffs2_inode_cachep, JFFS2_INODE_INFO(inode));
	44	+ struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
	45	+
	46	+ kfree(f->target);
	47	+ kmem_cache_free(jffs2_inode_cachep, f);
	48	}
	49
	50	static void jffs2_destroy_inode(struct inode *inode)
	51	--
	52	2.20.1
	53