diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2019-03-26 02:39:50 +0100 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2019-04-01 06:31:02 +0200 |
commit | 4fdcfab5b5537c21891e22e65996d4d0dd8ab4ca (patch) | |
tree | d0c9167b762a5837ac3030d2f1e869454a4c4ac6 /fs/jffs2/super.c | |
parent | Linux 5.1-rc1 (diff) | |
download | linux-4fdcfab5b5537c21891e22e65996d4d0dd8ab4ca.tar.xz linux-4fdcfab5b5537c21891e22e65996d4d0dd8ab4ca.zip |
jffs2: fix use-after-free on symlink traversal
free the symlink body after the same RCU delay we have for freeing the
struct inode itself, so that traversal during RCU pathwalk wouldn't step
into freed memory.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to '')
-rw-r--r-- | fs/jffs2/super.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c index bb6ae387469f..05d892c79339 100644 --- a/fs/jffs2/super.c +++ b/fs/jffs2/super.c @@ -47,7 +47,10 @@ static struct inode *jffs2_alloc_inode(struct super_block *sb) static void jffs2_i_callback(struct rcu_head *head) { struct inode *inode = container_of(head, struct inode, i_rcu); - kmem_cache_free(jffs2_inode_cachep, JFFS2_INODE_INFO(inode)); + struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode); + + kfree(f->target); + kmem_cache_free(jffs2_inode_cachep, f); } static void jffs2_destroy_inode(struct inode *inode) |