Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 69a10fb3 authored by Jeff Layton's avatar Jeff Layton Committed by Ilya Dryomov
Browse files

ceph: fix potential use-after-free in ceph_mdsc_build_path 



temp is not defined outside of the RCU critical section here. Ensure
we grab that value before we drop the rcu_read_lock.

Reported-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: default avatarJeff Layton <jlayton@kernel.org>
Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
parent ff4a80bf

fs/ceph/mds_client.c

+5 −3
Original line number Diff line number Diff line
@@ -2089,13 +2089,14 @@ static inline u64 __get_oldest_tid(struct ceph_mds_client *mdsc) 
 * Encode hidden .snap dirs as a double /, i.e.

 *   foo/.snap/bar -> foo//bar

 */

char *ceph_mdsc_build_path(struct dentry *dentry, int *plen, u64 *base,

char *ceph_mdsc_build_path(struct dentry *dentry, int *plen, u64 *pbase,

			   int stop_on_nosnap)

{

	struct dentry *temp;

	char *path;

	int len, pos;

	unsigned seq;

	u64 base;



	if (!dentry)

		return ERR_PTR(-EINVAL);
@@ -2151,6 +2152,7 @@ char *ceph_mdsc_build_path(struct dentry *dentry, int *plen, u64 *base, 
			path[--pos] = '/';

		temp = temp->d_parent;

	}

	base = ceph_ino(d_inode(temp));

	rcu_read_unlock();

	if (pos != 0 || read_seqretry(&rename_lock, seq)) {

		pr_err("build_path did not end path lookup where "
@@ -2163,10 +2165,10 @@ char *ceph_mdsc_build_path(struct dentry *dentry, int *plen, u64 *base, 
		goto retry;

	}



	*base = ceph_ino(d_inode(temp));

	*pbase = base;

	*plen = len;

	dout("build_path on %p %d built %llx '%.*s'\n",

	     dentry, d_count(dentry), *base, len, path);

	     dentry, d_count(dentry), base, len, path);

	return path;

}