1 From 88add4be9198143358e9817a728ff4dfa48d729f Mon Sep 17 00:00:00 2001
2 From: Al Viro <viro@zeniv.linux.org.uk>
3 Date: Tue, 26 Mar 2019 01:43:37 +0000
4 Subject: debugfs: fix use-after-free on symlink traversal
6 [ Upstream commit 93b919da64c15b90953f96a536e5e61df896ca57 ]
8 symlink body shouldn't be freed without an RCU delay. Switch debugfs to
9 ->destroy_inode() and use of call_rcu(); free both the inode and symlink
10 body in the callback. Similar to solution for bpf, only here it's even
11 more obvious that ->evict_inode() can be dropped.
13 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
14 Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
16 fs/debugfs/inode.c | 13 +++++++++----
17 1 file changed, 9 insertions(+), 4 deletions(-)
19 diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
20 index 29c68c5d44d5..c4a4fc6f1a95 100644
21 --- a/fs/debugfs/inode.c
22 +++ b/fs/debugfs/inode.c
23 @@ -163,19 +163,24 @@ static int debugfs_show_options(struct seq_file *m, struct dentry *root)
27 -static void debugfs_evict_inode(struct inode *inode)
28 +static void debugfs_i_callback(struct rcu_head *head)
30 - truncate_inode_pages_final(&inode->i_data);
32 + struct inode *inode = container_of(head, struct inode, i_rcu);
33 if (S_ISLNK(inode->i_mode))
35 + free_inode_nonrcu(inode);
38 +static void debugfs_destroy_inode(struct inode *inode)
40 + call_rcu(&inode->i_rcu, debugfs_i_callback);
43 static const struct super_operations debugfs_super_operations = {
44 .statfs = simple_statfs,
45 .remount_fs = debugfs_remount,
46 .show_options = debugfs_show_options,
47 - .evict_inode = debugfs_evict_inode,
48 + .destroy_inode = debugfs_destroy_inode,
51 static void debugfs_release_dentry(struct dentry *dentry)