jffs2: fix use-after-free on symlink traversal

Al Viro · Al Viro · commit 4fdcfab5b553 · 2019-04-01T00:31:02.000-04:00
free the symlink body after the same RCU delay we have for freeing the
struct inode itself, so that traversal during RCU pathwalk wouldn't step
into freed memory.

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
diff --git a/fs/jffs2/readinode.c b/fs/jffs2/readinode.c
@@ -1414,11 +1414,6 @@ void jffs2_do_clear_inode(struct jffs2_sb_info *c, struct jffs2_inode_info *f)
 
 	jffs2_kill_fragtree(&f->fragtree, deleted?c:NULL);
 
-	if (f->target) {
-		kfree(f->target);
-		f->target = NULL;
-	}
-
 	fds = f->dents;
 	while(fds) {
 		fd = fds;
diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c
@@ -47,7 +47,10 @@ static struct inode *jffs2_alloc_inode(struct super_block *sb)
 static void jffs2_i_callback(struct rcu_head *head)
 {
 	struct inode *inode = container_of(head, struct inode, i_rcu);
-	kmem_cache_free(jffs2_inode_cachep, JFFS2_INODE_INFO(inode));
+	struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
+
+	kfree(f->target);
+	kmem_cache_free(jffs2_inode_cachep, f);
 }
 
 static void jffs2_destroy_inode(struct inode *inode)

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,10 @@ static struct inode jffs2_alloc_inode(struct super_block sb)`
`47`	`47`	`static void jffs2_i_callback(struct rcu_head *head)`
`48`	`48`	`{`
`49`	`49`	`struct inode *inode = container_of(head, struct inode, i_rcu);`
`50`		`- kmem_cache_free(jffs2_inode_cachep, JFFS2_INODE_INFO(inode));`
	`50`	`+ struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);`
	`51`	`+`
	`52`	`+ kfree(f->target);`
	`53`	`+ kmem_cache_free(jffs2_inode_cachep, f);`
`51`	`54`	`}`
`52`	`55`
`53`	`56`	`static void jffs2_destroy_inode(struct inode *inode)`