Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0cdc17eb authored by Al Viro's avatar Al Viro
Browse files

ubifs: fix use-after-free on symlink traversal 



free the symlink body after the same RCU delay we have for freeing the
struct inode itself, so that traversal during RCU pathwalk wouldn't step
into freed memory.

Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent 4fdcfab5

fs/ubifs/super.c

+1 −3
Original line number Diff line number Diff line
@@ -276,14 +276,12 @@ static void ubifs_i_callback(struct rcu_head *head) 
{

	struct inode *inode = container_of(head, struct inode, i_rcu);

	struct ubifs_inode *ui = ubifs_inode(inode);

	kfree(ui->data);

	kmem_cache_free(ubifs_inode_slab, ui);

}



static void ubifs_destroy_inode(struct inode *inode)

{

	struct ubifs_inode *ui = ubifs_inode(inode);



	kfree(ui->data);

	call_rcu(&inode->i_rcu, ubifs_i_callback);

}