summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAl Viro <viro@zeniv.linux.org.uk>2019-03-26 02:40:38 +0100
committerAl Viro <viro@zeniv.linux.org.uk>2019-04-01 06:31:02 +0200
commit0cdc17ebd2072b6cdd3ec3695ea7ede745664a8b (patch)
tree7feee598cba29b9c9adf1a3d7c4e9548860a24f3
parentjffs2: fix use-after-free on symlink traversal (diff)
downloadlinux-0cdc17ebd2072b6cdd3ec3695ea7ede745664a8b.tar.xz
linux-0cdc17ebd2072b6cdd3ec3695ea7ede745664a8b.zip
ubifs: fix use-after-free on symlink traversal
free the symlink body after the same RCU delay we have for freeing the struct inode itself, so that traversal during RCU pathwalk wouldn't step into freed memory. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r--fs/ubifs/super.c4
1 files changed, 1 insertions, 3 deletions
diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
index 8dc2818fdd84..12628184772c 100644
--- a/fs/ubifs/super.c
+++ b/fs/ubifs/super.c
@@ -276,14 +276,12 @@ static void ubifs_i_callback(struct rcu_head *head)
{
struct inode *inode = container_of(head, struct inode, i_rcu);
struct ubifs_inode *ui = ubifs_inode(inode);
+ kfree(ui->data);
kmem_cache_free(ubifs_inode_slab, ui);
}
static void ubifs_destroy_inode(struct inode *inode)
{
- struct ubifs_inode *ui = ubifs_inode(inode);
-
- kfree(ui->data);
call_rcu(&inode->i_rcu, ubifs_i_callback);
}