From: Al Viro <viro@zeniv.linux.org.uk>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: syzbot <syzbot+7a8ba368b47fdefca61e@syzkaller.appspotmail.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Linux List Kernel Mailing <linux-kernel@vger.kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: ceph: fix use-after-free on symlink traversal
Date: Tue, 26 Mar 2019 01:38:58 +0000 [thread overview]
Message-ID: <20190326013858.GU2217@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20190325233731.GS2217@ZenIV.linux.org.uk>
free the symlink body after the same RCU delay we have for freeing the
struct inode itself, so that traversal during RCU pathwalk wouldn't step
into freed memory.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
index e3346628efe2..2d61ddda9bf5 100644
--- a/fs/ceph/inode.c
+++ b/fs/ceph/inode.c
@@ -524,6 +524,7 @@ static void ceph_i_callback(struct rcu_head *head)
struct inode *inode = container_of(head, struct inode, i_rcu);
struct ceph_inode_info *ci = ceph_inode(inode);
+ kfree(ci->i_symlink);
kmem_cache_free(ceph_inode_cachep, ci);
}
@@ -566,7 +567,6 @@ void ceph_destroy_inode(struct inode *inode)
}
}
- kfree(ci->i_symlink);
while ((n = rb_first(&ci->i_fragtree)) != NULL) {
frag = rb_entry(n, struct ceph_inode_frag, node);
rb_erase(n, &ci->i_fragtree);
next prev parent reply other threads:[~2019-03-26 1:39 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-28 17:40 KASAN: use-after-free Read in path_lookupat syzbot
2019-03-25 0:44 ` syzbot
2019-03-25 1:25 ` Linus Torvalds
2019-03-25 1:23 ` Linus Torvalds
2019-03-25 4:57 ` Al Viro
2019-03-25 9:15 ` Daniel Borkmann
2019-03-25 11:11 ` Al Viro
2019-03-25 11:17 ` Al Viro
2019-03-25 11:21 ` Daniel Borkmann
2019-03-25 18:36 ` Linus Torvalds
2019-03-25 19:18 ` Linus Torvalds
2019-03-25 21:14 ` Al Viro
2019-03-25 21:45 ` Linus Torvalds
2019-03-25 22:04 ` Daniel Borkmann
2019-03-25 22:13 ` Linus Torvalds
2019-03-25 22:41 ` Daniel Borkmann
2019-03-25 22:49 ` Al Viro
2019-03-25 23:37 ` Al Viro
2019-03-25 23:44 ` Alexei Starovoitov
2019-03-26 0:21 ` Al Viro
2019-03-26 1:38 ` Al Viro [this message]
2019-03-26 1:39 ` jffs2: fix use-after-free on symlink traversal Al Viro
2019-03-26 1:40 ` ubifs: " Al Viro
2019-03-26 1:43 ` debugfs: " Al Viro
2019-03-26 10:41 ` ceph: " Jeff Layton
2019-03-26 11:38 ` Ilya Dryomov
2019-03-26 1:45 ` KASAN: use-after-free Read in path_lookupat Al Viro
2019-04-10 18:11 ` Al Viro
2019-04-10 19:44 ` Linus Torvalds
2019-03-25 19:43 ` Al Viro
2019-03-25 22:48 ` Dave Chinner
2019-03-25 23:02 ` Al Viro
[not found] ` <CAGe7X7mb=gK7zhSwmT_6mmmkcbjhZAOb=wj31BdUcHkNUPsm2Q@mail.gmail.com>
2019-03-26 4:15 ` Al Viro
2019-03-27 16:58 ` Jan Kara
2019-03-27 18:59 ` Al Viro
2019-03-28 9:00 ` Jan Kara
2019-03-27 17:22 ` Jan Kara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190326013858.GU2217@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+7a8ba368b47fdefca61e@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.