UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 

Pull symlink fixes from Al Viro:
 "The ceph fix is already in mainline, Daniel's bpf fix is in bpf tree
  (1da6c4d914 "bpf: fix use after free in bpf_evict_inode"), the rest
  is in here"

* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  debugfs: fix use-after-free on symlink traversal
  ubifs: fix use-after-free on symlink traversal
  jffs2: fix use-after-free on symlink traversal
This commit is contained in:
Linus Torvalds 2019-04-01 07:51:48 -07:00
parent 79a3aaa7b8 93b919da64
commit db5481e705
4 changed files with 14 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
fs/debugfs/inode.c
View File

@ -163,19 +163,24 @@ static int debugfs_show_options(struct seq_file *m, struct dentry *root)
return 0;
}
static void debugfs_evict_inode(struct inode *inode)
static void debugfs_i_callback(struct rcu_head *head)
{
truncate_inode_pages_final(&inode->i_data);
clear_inode(inode);
struct inode *inode = container_of(head, struct inode, i_rcu);
if (S_ISLNK(inode->i_mode))
kfree(inode->i_link);
free_inode_nonrcu(inode);
}
static void debugfs_destroy_inode(struct inode *inode)
{
call_rcu(&inode->i_rcu, debugfs_i_callback);
}
static const struct super_operations debugfs_super_operations = {
.statfs = simple_statfs,
.remount_fs = debugfs_remount,
.show_options = debugfs_show_options,
.evict_inode = debugfs_evict_inode,
.destroy_inode = debugfs_destroy_inode,
};
static void debugfs_release_dentry(struct dentry *dentry)

5
fs/jffs2/readinode.c
View File

@ -1414,11 +1414,6 @@ void jffs2_do_clear_inode(struct jffs2_sb_info *c, struct jffs2_inode_info *f)
jffs2_kill_fragtree(&f->fragtree, deleted?c:NULL);
if (f->target) {
kfree(f->target);
f->target = NULL;
}
fds = f->dents;
while(fds) {
fd = fds;

5
fs/jffs2/super.c
View File

@ -47,7 +47,10 @@ static struct inode *jffs2_alloc_inode(struct super_block *sb)
static void jffs2_i_callback(struct rcu_head *head)
{
struct inode *inode = container_of(head, struct inode, i_rcu);
kmem_cache_free(jffs2_inode_cachep, JFFS2_INODE_INFO(inode));
struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
kfree(f->target);
kmem_cache_free(jffs2_inode_cachep, f);
}
static void jffs2_destroy_inode(struct inode *inode)

4
fs/ubifs/super.c
View File

@ -276,14 +276,12 @@ static void ubifs_i_callback(struct rcu_head *head)
{
struct inode *inode = container_of(head, struct inode, i_rcu);
struct ubifs_inode *ui = ubifs_inode(inode);
kfree(ui->data);
kmem_cache_free(ubifs_inode_slab, ui);
}
static void ubifs_destroy_inode(struct inode *inode)
{
struct ubifs_inode *ui = ubifs_inode(inode);
kfree(ui->data);
call_rcu(&inode->i_rcu, ubifs_i_callback);
}