diff options
| author | Al Viro <[email protected]> | 2019-03-26 01:38:58 +0000 |
|---|---|---|
| committer | Ilya Dryomov <[email protected]> | 2019-03-27 19:00:37 +0100 |
| commit | daf5cc27eed99afdea8d96e71b89ba41f5406ef6 (patch) | |
| tree | 388c0f95be488d43a4576b871657e38dfc7740e2 | |
| parent | 187df76325af5d9e12ae9daec1510307797e54f0 (diff) | |
ceph: fix use-after-free on symlink traversal
free the symlink body after the same RCU delay we have for freeing the
struct inode itself, so that traversal during RCU pathwalk wouldn't step
into freed memory.
Signed-off-by: Al Viro <[email protected]>
Reviewed-by: Jeff Layton <[email protected]>
Signed-off-by: Ilya Dryomov <[email protected]>
| -rw-r--r-- | fs/ceph/inode.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c index e3346628efe2..2d61ddda9bf5 100644 --- a/fs/ceph/inode.c +++ b/fs/ceph/inode.c @@ -524,6 +524,7 @@ static void ceph_i_callback(struct rcu_head *head) struct inode *inode = container_of(head, struct inode, i_rcu); struct ceph_inode_info *ci = ceph_inode(inode); + kfree(ci->i_symlink); kmem_cache_free(ceph_inode_cachep, ci); } @@ -566,7 +567,6 @@ void ceph_destroy_inode(struct inode *inode) } } - kfree(ci->i_symlink); while ((n = rb_first(&ci->i_fragtree)) != NULL) { frag = rb_entry(n, struct ceph_inode_frag, node); rb_erase(n, &ci->i_fragtree); |