authorAl Viro <viro@zeniv.linux.org.uk>2019-03-26 01:38:58 +0000
committerIlya Dryomov <idryomov@gmail.com>2019-03-27 19:00:37 +0100
commitdaf5cc27eed99afdea8d96e71b89ba41f5406ef6 (patch)
tree388c0f95be488d43a4576b871657e38dfc7740e2 /fs/ceph
parent187df76325af5d9e12ae9daec1510307797e54f0 (diff)
ceph: fix use-after-free on symlink traversal
free the symlink body after the same RCU delay we have for freeing the struct inode itself, so that traversal during RCU pathwalk wouldn't step into freed memory. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
index e3346628efe2..2d61ddda9bf5 100644
--- a/fs/ceph/inode.c
+++ b/fs/ceph/inode.c
@@ -524,6 +524,7 @@ static void ceph_i_callback(struct rcu_head *head)
struct inode *inode = container_of(head, struct inode, i_rcu);
struct ceph_inode_info *ci = ceph_inode(inode);
+ kfree(ci->i_symlink);
kmem_cache_free(ceph_inode_cachep, ci);
@@ -566,7 +567,6 @@ void ceph_destroy_inode(struct inode *inode)
- kfree(ci->i_symlink);
while ((n = rb_first(&ci->i_fragtree)) != NULL) {
frag = rb_entry(n, struct ceph_inode_frag, node);
rb_erase(n, &ci->i_fragtree);