Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp4174791img; Tue, 26 Mar 2019 04:38:18 -0700 (PDT) X-Google-Smtp-Source: APXvYqw5beukwhKKYGmPjNdg0KzAwC9N+bFbLv+eN4eNwtBbTDBxzGqiJMfruLIlJXKBRF9W4U4M X-Received: by 2002:a65:53c1:: with SMTP id z1mr21550107pgr.415.1553600298248; Tue, 26 Mar 2019 04:38:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553600298; cv=none; d=google.com; s=arc-20160816; b=ko3Klw08IMj/UydAB04J95Ku8ZcUOP3yDTLsvLPOhSRwCUIEf4qtrTBpp2OXFQGZrk WOlFgXk65fgL9Lk9KcY9CGwRUnCQASNAVAivNRj8VfuEp1h7irYadXjCHRzZSymJg1Jn ZgBCYb9dP0aPaMJu9+x07o7XkO4V7EV0P9h9Adb3VpQTUQHBZygWtWCHydiM5pAN0JWu GmTBXL1tWifkrl/GqYhOPPFV3Lb5UGmgED3UdyCjp6Y2WWkZJT+51BnQ7Wyztkiaygn4 1pPHteolqoE97Z1ieU3JWQ3QXKoyhr5hHSttgfbmPt1lO1Y7nfb8c+iFd123TAZW4jby nOzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=5nYa4+fsAkS74VZ5Qo0Tv1Q6m3DqdUqGN/BlWyh7nRU=; b=Bm2bbdMiULbvez9tatRPageWI1bQeQpVbasjZsldYa+rZJjbbOBqqOL5Bk7CqtMc9L fawxVwB958dHd1R27c3wP6ByuIiXDqctWsXN0Gm2IssD4eHBrVehsDNyw0EhjPhxdi3A CEmD6tgpdkS6ryGToPzLrr+AGcXVe2yLuAV1lT8r/bj06dkZBuYFJkxferHhvNZ/hkZ7 pkckgvnlWf6kto63WRnyT7Oq+JhSf3C3KC7RdwtI73JcZXHUsPm2dA5+z5azszjTE5yl q1XFiIndUSFWYBW79qOKIozDtYg5XGkrHOKGYHVuoD3u/Ru27eheUDAh+wJuJMSJA3+6 buNQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=PtlyFWbL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g5si15595150pgq.486.2019.03.26.04.38.03; Tue, 26 Mar 2019 04:38:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=PtlyFWbL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730697AbfCZLhY (ORCPT + 99 others); Tue, 26 Mar 2019 07:37:24 -0400 Received: from mail-it1-f195.google.com ([209.85.166.195]:54164 "EHLO mail-it1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726111AbfCZLhY (ORCPT ); Tue, 26 Mar 2019 07:37:24 -0400 Received: by mail-it1-f195.google.com with SMTP id y204so4686510itf.3; Tue, 26 Mar 2019 04:37:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5nYa4+fsAkS74VZ5Qo0Tv1Q6m3DqdUqGN/BlWyh7nRU=; b=PtlyFWbLH3NBoTRHkSphldFDn2wLd1/r34ELBH42ynSowQ/asQw8pdyPAhqrq/LYsO L/I2A7Zjjc34MiUBGSczOMrJrI8AUTnaxOPAfmW5L0q0UePoiYOcQ4/ds2HHcm5bdbVM TorpoxQyxLA0COidcQ+127YgLiSVQ2F17wGinnAq3PunU///gLVW1O023dTe13raL7YZ TOZn8Fl4aqpGqM8Wi/00Ya2H1f/K+tYh0+pOA4DA5iTa9s7crNFWZlhUxMZNmk8iEbQ7 crr3/pLotmCtDu5sPVncuYO+dC7k+4lkAg+PYgImEQ25/hrSytu5u96Nz1Z+GBpgtIt8 kuyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5nYa4+fsAkS74VZ5Qo0Tv1Q6m3DqdUqGN/BlWyh7nRU=; b=eapWfyqmvJNQOSO1GzZ2H6tEDUIqB48G7++Jv42Ox/CAT696grhfLbbcqsqNLiwwMw KePBGrjio79qF8c9iuu5Lgvh1imnDFbmBUmlm9xswMG4/XZ2DJUq+vYd1/VIqC8wpwuK 9n7Jbm5CTTRWnsIulRI/XLRFsu0emPwbcs/iMuAuVvHCpZEsCN9zZBg523q33FFRUDhJ V5xkHWXeN/hCTjNIB3gvLt1q9anHvDICAKZ37U1a3rT8cocQ+M+IbOOriehGH0J52xUU YKSXvrlnJH9/O0W+ZTNnWBbxE7uxoJGL2Q1vDFFGDdTUTWDUrYUs5tCyQ/db9RK7rlJm tXKg== X-Gm-Message-State: APjAAAU/m9y/FXF0iYM6F2voug42YGqCtxmf0c7hlKoG04NMwLRsgblh EIhRXB5bY4IfxRV5DfoEJkdXooz+QhMiatSyTKkfjWk1 X-Received: by 2002:a24:56c2:: with SMTP id o185mr14653142itb.57.1553600243291; Tue, 26 Mar 2019 04:37:23 -0700 (PDT) MIME-Version: 1.0 References: <0000000000006946d2057bbd0eef@google.com> <20190325045744.GK2217@ZenIV.linux.org.uk> <20190325211405.GP2217@ZenIV.linux.org.uk> <20190325233731.GS2217@ZenIV.linux.org.uk> <20190326013858.GU2217@ZenIV.linux.org.uk> In-Reply-To: <20190326013858.GU2217@ZenIV.linux.org.uk> From: Ilya Dryomov Date: Tue, 26 Mar 2019 12:38:40 +0100 Message-ID: Subject: Re: ceph: fix use-after-free on symlink traversal To: Al Viro Cc: Linus Torvalds , syzbot , Alexei Starovoitov , Daniel Borkmann , linux-fsdevel , Linux List Kernel Mailing , syzkaller-bugs Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 26, 2019 at 2:39 AM Al Viro wrote: > > free the symlink body after the same RCU delay we have for freeing the > struct inode itself, so that traversal during RCU pathwalk wouldn't step > into freed memory. > > Signed-off-by: Al Viro > --- > diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c > index e3346628efe2..2d61ddda9bf5 100644 > --- a/fs/ceph/inode.c > +++ b/fs/ceph/inode.c > @@ -524,6 +524,7 @@ static void ceph_i_callback(struct rcu_head *head) > struct inode *inode = container_of(head, struct inode, i_rcu); > struct ceph_inode_info *ci = ceph_inode(inode); > > + kfree(ci->i_symlink); > kmem_cache_free(ceph_inode_cachep, ci); > } > > @@ -566,7 +567,6 @@ void ceph_destroy_inode(struct inode *inode) > } > } > > - kfree(ci->i_symlink); > while ((n = rb_first(&ci->i_fragtree)) != NULL) { > frag = rb_entry(n, struct ceph_inode_frag, node); > rb_erase(n, &ci->i_fragtree); Al, I see you directed this patch at Linus instead of ceph-devel. I can pick it up for -rc3 as I have an important libceph fix pending anyway. Let me know if you want me to handle it. Thanks, Ilya