Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp4130740img; Tue, 26 Mar 2019 03:42:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqz9iNxHBszaDqF7YoMPTEgqm4zbQC3yuVYhu6+Umgi15ZcQfjQmeZ9l1NgKD/Op7a/kEofO X-Received: by 2002:a65:420b:: with SMTP id c11mr6901085pgq.24.1553596953964; Tue, 26 Mar 2019 03:42:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553596953; cv=none; d=google.com; s=arc-20160816; b=xIEmI9A0/CXtWGCH3SCk6JE72ecXEtE8kgB1K8LnUWzxvosZyUgNwDTHbuUbRoHmKi WxsGgalGMn2Sh7fa47cNqH2k2NFMsooM4m/d0Gu/0CgFJLuASjvNNLGgowxzYOioUEZC MGNf7bFBqwe34ND9RYL/ycxUrD7bpd9Oedm1ikgJIoPjgHfj40nLNpV7kFUgHbWiijsf pPPExQXz+SpTuDd7+SGqezYV5M53cxN48BBrlzLI84BElA1ewGxnD8zqVSm/AMo/u+Rl vsXvtN3wZ+yJmn019V6eDNGhDX15BegtL+p21Wm3A5b0fJAOYUZukoqgOwnMfCmKGsjq WXdw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=eDthmkeOr4vGkpJrbQSz9Z+BEbXFb8ELBhBxp7/lZDY=; b=opN132AGAR+0V13BH26SzrLq4HBG7QuhZXjEb+USRPAJKz1y/1S4B62gBqKWAezVdX NktxztV25upFXq/0Gp8I/T7jdC4/XiCoKWVWcMKXLuW8WEarpS5J0aPxwP/2b7OIpzt5 qGiWIjgxDwipjaIWDc8SmA89Yje0am9FSsYsyrQkfSoUPscFbHWB0gxEEol1g8kWTTym ERyd7sFLEX1748USh+W/O8nL9wvDGQVtkzg7+Ccrtpc1AMSeF7YTTkUi1E7065A9LE6/ hK55lLv1Tk3+y71VlDqd4m5Kk+GsJREUWdNs3m3m6Er3zyjCebIA2jp1msoMGD+6MV6K pHBw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@poochiereds-net.20150623.gappssmtp.com header.s=20150623 header.b="gke/Twgz"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d68si13379372pfg.83.2019.03.26.03.42.18; Tue, 26 Mar 2019 03:42:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@poochiereds-net.20150623.gappssmtp.com header.s=20150623 header.b="gke/Twgz"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730587AbfCZKlk (ORCPT + 99 others); Tue, 26 Mar 2019 06:41:40 -0400 Received: from mail-ed1-f65.google.com ([209.85.208.65]:42483 "EHLO mail-ed1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726248AbfCZKlk (ORCPT ); Tue, 26 Mar 2019 06:41:40 -0400 Received: by mail-ed1-f65.google.com with SMTP id x61so4621388edc.9 for ; Tue, 26 Mar 2019 03:41:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=poochiereds-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eDthmkeOr4vGkpJrbQSz9Z+BEbXFb8ELBhBxp7/lZDY=; b=gke/Twgzw1nfJHyBwDCvhTtV5TF9nGiuavLmLgH1oPYcOC4/RtezO9OeTWv1LyKLdd tHYyvDLiudLauj89yJdppuz7Q4TuFcLCKzzSfVYkwOljOgOiExoptpVZ7JWF2I6PkxdO WdFnUjbtEQmxReswUx6MLOjWl0hrvye4HYUPul2thCAfsih9pWSMr9KPoCqv7nUJ83j2 uOjJG8ImMO/Wd1e9VX39CBCrFUhMCQQQL9Vv8xrntyx4Mtclyu1v4G4dqXUcuNI4sQV+ Ds4RaLVy/9I533bp0AehPB1yrAYKAVbFTbw4R/A8bzb0L1LWaI1h+dKib3lvDLvvgLwJ Inwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eDthmkeOr4vGkpJrbQSz9Z+BEbXFb8ELBhBxp7/lZDY=; b=rivUiJzjHggderc9H/xcR3Blvk3BIvymdKt+pltrUqO+aHhU6/bi3kUsdGfxAtj0Ts BE0/OB1xVOOpY5ch2sqwkK1CmptJ0mTCuao15EU7C7K98lLSvkU+cTCzw1rI/UBoS5z2 tzqsgAxDzbfv16TN8yhR4X2+WnrX/xrMf/2qlhsVbyD8EFhW7uyaK9ttfpGzi2V4/36F Sx1dvIG/HNHezN8BiJXk/487szEXPgYA7jY1YkuCHvvPCfw6amXC9zW6tpVeYB5Ly5SS NG4s/MRgWjXCCV78/fF4QGqGWHZT0F6LwWUXB10niIHy/NsLiUogk+d4yNpn7gBabdXy GJZQ== X-Gm-Message-State: APjAAAUkYWgjTsmBrj1pUzLav6flFeugA6UA7aZOlBJNQRyPd6XZHKd5 txFnNgrYjgRxlxHAHd2rKJVLL4luwFyoQBnw5QeSlA== X-Received: by 2002:a50:b6f2:: with SMTP id f47mr20327881ede.240.1553596898704; Tue, 26 Mar 2019 03:41:38 -0700 (PDT) MIME-Version: 1.0 References: <0000000000006946d2057bbd0eef@google.com> <20190325045744.GK2217@ZenIV.linux.org.uk> <20190325211405.GP2217@ZenIV.linux.org.uk> <20190325233731.GS2217@ZenIV.linux.org.uk> <20190326013858.GU2217@ZenIV.linux.org.uk> In-Reply-To: <20190326013858.GU2217@ZenIV.linux.org.uk> From: Jeff Layton Date: Tue, 26 Mar 2019 06:41:25 -0400 Message-ID: Subject: Re: ceph: fix use-after-free on symlink traversal To: Al Viro Cc: Linus Torvalds , syzbot , Alexei Starovoitov , Daniel Borkmann , linux-fsdevel , Linux List Kernel Mailing , syzkaller-bugs Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 25, 2019 at 9:39 PM Al Viro wrote: > > free the symlink body after the same RCU delay we have for freeing the > struct inode itself, so that traversal during RCU pathwalk wouldn't step > into freed memory. > > Signed-off-by: Al Viro > --- > diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c > index e3346628efe2..2d61ddda9bf5 100644 > --- a/fs/ceph/inode.c > +++ b/fs/ceph/inode.c > @@ -524,6 +524,7 @@ static void ceph_i_callback(struct rcu_head *head) > struct inode *inode = container_of(head, struct inode, i_rcu); > struct ceph_inode_info *ci = ceph_inode(inode); > > + kfree(ci->i_symlink); > kmem_cache_free(ceph_inode_cachep, ci); > } > > @@ -566,7 +567,6 @@ void ceph_destroy_inode(struct inode *inode) > } > } > > - kfree(ci->i_symlink); > while ((n = rb_first(&ci->i_fragtree)) != NULL) { > frag = rb_entry(n, struct ceph_inode_frag, node); > rb_erase(n, &ci->i_fragtree); Reviewed-by: Jeff Layton