autofs: fix use-after-free in lockless ->d_manage()

mainline inclusion from mainline-5.2-rc1 commit ce285c26 category: bugfix bugzilla: 14537 CVE: NA --------------------------- autofs_d_release() can overlap with lockless ->d_manage(), ending up with autofs_dentry_ino() freed under the latter. Make freeing autofs_info instances RCU-delayed... Signed-off-by: N Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: N zhengbin <zhengbin13@huawei.com> Reviewed-by: N zhangyi (F) <yi.zhang@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>

autofs: fix use-after-free in lockless ->d_manage()
mainline inclusion from mainline-5.2-rc1 commit ce285c26 category: bugfix bugzilla: 14537 CVE: NA --------------------------- autofs_d_release() can overlap with lockless ->d_manage(), ending up with autofs_dentry_ino() freed under the latter. Make freeing autofs_info instances RCU-delayed... Signed-off-by: N Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: N zhengbin <zhengbin13@huawei.com> Reviewed-by: N zhangyi (F) <yi.zhang@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>
e8b205bf · Al Viro · Xie XiuQi · 627ada44 · e8b205bf · e8b205bf
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

fs/autofs/autofs_i.h fs/autofs/autofs_i.h +1 -0

fs/autofs/inode.c fs/autofs/inode.c +1 -1

未找到文件。
--- a/fs/autofs/autofs_i.h
+++ b/fs/autofs/autofs_i.h
@@ -69,6 +69,7 @@ struct autofs_info {
 	kuid_t uid;
 	kgid_t gid;
+	struct rcu_head rcu;
 };
 #define AUTOFS_INF_EXPIRING	(1<<0) /* dentry in the process of expiring */

--- a/fs/autofs/inode.c
+++ b/fs/autofs/inode.c
@@ -36,7 +36,7 @@ void autofs_clean_ino(struct autofs_info *ino)
 void autofs_free_ino(struct autofs_info *ino)
 {
-	kfree(ino);
+	kfree_rcu(ino, rcu);
 }
 void autofs_kill_sb(struct super_block *sb)