ceph: fix use-after-free on symlink traversal

Al Viro · idryomov · commit daf5cc27eed9 · 2019-03-27T19:00:37.000+01:00
free the symlink body after the same RCU delay we have for freeing the
struct inode itself, so that traversal during RCU pathwalk wouldn't step
into freed memory.

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Reviewed-by: Jeff Layton &lt;jlayton@kernel.org&gt;
Signed-off-by: Ilya Dryomov &lt;idryomov@gmail.com&gt;
diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
@@ -524,6 +524,7 @@ static void ceph_i_callback(struct rcu_head *head)
 	struct inode *inode = container_of(head, struct inode, i_rcu);
 	struct ceph_inode_info *ci = ceph_inode(inode);
 
+	kfree(ci->i_symlink);
 	kmem_cache_free(ceph_inode_cachep, ci);
 }
 
@@ -566,7 +567,6 @@ void ceph_destroy_inode(struct inode *inode)
 		}
 	}
 
-	kfree(ci->i_symlink);
 	while ((n = rb_first(&ci->i_fragtree)) != NULL) {
 		frag = rb_entry(n, struct ceph_inode_frag, node);
 		rb_erase(n, &ci->i_fragtree);

Original file line number	Diff line number	Diff line change
`@@ -524,6 +524,7 @@ static void ceph_i_callback(struct rcu_head *head)`
`524`	`524`	`struct inode *inode = container_of(head, struct inode, i_rcu);`
`525`	`525`	`struct ceph_inode_info *ci = ceph_inode(inode);`
`526`	`526`
	`527`	`+ kfree(ci->i_symlink);`
`527`	`528`	`kmem_cache_free(ceph_inode_cachep, ci);`
`528`	`529`	`}`
`529`	`530`
`@@ -566,7 +567,6 @@ void ceph_destroy_inode(struct inode *inode)`
`566`	`567`	`}`
`567`	`568`	`}`
`568`	`569`
`569`		`- kfree(ci->i_symlink);`
`570`	`570`	`while ((n = rb_first(&ci->i_fragtree)) != NULL) {`
`571`	`571`	`frag = rb_entry(n, struct ceph_inode_frag, node);`
`572`	`572`	`rb_erase(n, &ci->i_fragtree);`