ceph: fix use-after-free on symlink traversal

free the symlink body after the same RCU delay we have for freeing the struct inode itself, so that traversal during RCU pathwalk wouldn't step into freed memory. Signed-off-by: N Al Viro <viro@zeniv.linux.org.uk> Reviewed-by: N Jeff Layton <jlayton@kernel.org> Signed-off-by: N Ilya Dryomov <idryomov@gmail.com>

ceph: fix use-after-free on symlink traversal
free the symlink body after the same RCU delay we have for freeing the struct inode itself, so that traversal during RCU pathwalk wouldn't step into freed memory. Signed-off-by: N Al Viro <viro@zeniv.linux.org.uk> Reviewed-by: N Jeff Layton <jlayton@kernel.org> Signed-off-by: N Ilya Dryomov <idryomov@gmail.com>
daf5cc27 · Al Viro · Ilya Dryomov · 187df763 · daf5cc27
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

fs/ceph/inode.c fs/ceph/inode.c +1 -1

未找到文件。
--- a/fs/ceph/inode.c
+++ b/fs/ceph/inode.c
@@ -524,6 +524,7 @@ static void ceph_i_callback(struct rcu_head *head)
 	struct inode *inode = container_of(head, struct inode, i_rcu);
 	struct ceph_inode_info *ci = ceph_inode(inode);
+	kfree(ci->i_symlink);
 	kmem_cache_free(ceph_inode_cachep, ci);
 }
@@ -566,7 +567,6 @@ void ceph_destroy_inode(struct inode *inode)
 		}
 	}
-	kfree(ci->i_symlink);
 	while ((n = rb_first(&ci->i_fragtree)) != NULL) {
 		frag = rb_entry(n, struct ceph_inode_frag, node);
 		rb_erase(n, &ci->i_fragtree);