From: Al Viro <viro@zeniv.linux.org.uk>
Date: Tue, 26 Mar 2019 01:38:58 +0000 (+0000)
Subject: ceph: fix use-after-free on symlink traversal
X-Git-Tag: v5.1-rc3~27^2
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=daf5cc27eed99afdea8d96e71b89ba41f5406ef6;p=users%2Fdwmw2%2Flinux.git

ceph: fix use-after-free on symlink traversal

free the symlink body after the same RCU delay we have for freeing the
struct inode itself, so that traversal during RCU pathwalk wouldn't step
into freed memory.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
---

diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
index e3346628efe2e..2d61ddda9bf56 100644
--- a/fs/ceph/inode.c
+++ b/fs/ceph/inode.c
@@ -524,6 +524,7 @@ static void ceph_i_callback(struct rcu_head *head)
 	struct inode *inode = container_of(head, struct inode, i_rcu);
 	struct ceph_inode_info *ci = ceph_inode(inode);
 
+	kfree(ci->i_symlink);
 	kmem_cache_free(ceph_inode_cachep, ci);
 }
 
@@ -566,7 +567,6 @@ void ceph_destroy_inode(struct inode *inode)
 		}
 	}
 
-	kfree(ci->i_symlink);
 	while ((n = rb_first(&ci->i_fragtree)) != NULL) {
 		frag = rb_entry(n, struct ceph_inode_frag, node);
 		rb_erase(n, &ci->i_fragtree);