Skip to content

Commit 0cdc17e

Browse files
author
Al Viro
committed
ubifs: fix use-after-free on symlink traversal
free the symlink body after the same RCU delay we have for freeing the struct inode itself, so that traversal during RCU pathwalk wouldn't step into freed memory. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
1 parent 4fdcfab commit 0cdc17e

File tree

1 file changed

+1
-3
lines changed

1 file changed

+1
-3
lines changed

fs/ubifs/super.c

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -276,14 +276,12 @@ static void ubifs_i_callback(struct rcu_head *head)
276276
{
277277
struct inode *inode = container_of(head, struct inode, i_rcu);
278278
struct ubifs_inode *ui = ubifs_inode(inode);
279+
kfree(ui->data);
279280
kmem_cache_free(ubifs_inode_slab, ui);
280281
}
281282

282283
static void ubifs_destroy_inode(struct inode *inode)
283284
{
284-
struct ubifs_inode *ui = ubifs_inode(inode);
285-
286-
kfree(ui->data);
287285
call_rcu(&inode->i_rcu, ubifs_i_callback);
288286
}
289287

0 commit comments

Comments
 (0)