ubifs: fix use-after-free on symlink traversal

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

free the symlink body after the same RCU delay we have for freeing the
struct inode itself, so that traversal during RCU pathwalk wouldn't step
into freed memory.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

Al Viro 7 years ago 0cdc17eb 4fdcfab5

+1 -3

1 changed file

expand all

ubifs

super.c

+1 -3

fs/ubifs/super.c

··· 276 276 { 277 277 struct inode *inode = container_of(head, struct inode, i_rcu); 278 278 struct ubifs_inode *ui = ubifs_inode(inode); 279 + kfree(ui->data); 279 280 kmem_cache_free(ubifs_inode_slab, ui); 280 281 } 281 282 282 283 static void ubifs_destroy_inode(struct inode *inode) 283 284 { 284 - struct ubifs_inode *ui = ubifs_inode(inode); 285 - 286 - kfree(ui->data); 287 285 call_rcu(&inode->i_rcu, ubifs_i_callback); 288 286 } 289 287