Commit 4fdcfab5 authored by Al Viro's avatar Al Viro

jffs2: fix use-after-free on symlink traversal

free the symlink body after the same RCU delay we have for freeing the
struct inode itself, so that traversal during RCU pathwalk wouldn't step
into freed memory.
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent 9e98c678
...@@ -1414,11 +1414,6 @@ void jffs2_do_clear_inode(struct jffs2_sb_info *c, struct jffs2_inode_info *f) ...@@ -1414,11 +1414,6 @@ void jffs2_do_clear_inode(struct jffs2_sb_info *c, struct jffs2_inode_info *f)
jffs2_kill_fragtree(&f->fragtree, deleted?c:NULL); jffs2_kill_fragtree(&f->fragtree, deleted?c:NULL);
if (f->target) {
kfree(f->target);
f->target = NULL;
}
fds = f->dents; fds = f->dents;
while(fds) { while(fds) {
fd = fds; fd = fds;
......
...@@ -47,7 +47,10 @@ static struct inode *jffs2_alloc_inode(struct super_block *sb) ...@@ -47,7 +47,10 @@ static struct inode *jffs2_alloc_inode(struct super_block *sb)
static void jffs2_i_callback(struct rcu_head *head) static void jffs2_i_callback(struct rcu_head *head)
{ {
struct inode *inode = container_of(head, struct inode, i_rcu); struct inode *inode = container_of(head, struct inode, i_rcu);
kmem_cache_free(jffs2_inode_cachep, JFFS2_INODE_INFO(inode)); struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
kfree(f->target);
kmem_cache_free(jffs2_inode_cachep, f);
} }
static void jffs2_destroy_inode(struct inode *inode) static void jffs2_destroy_inode(struct inode *inode)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment