Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

torvalds · torvalds · commit db5481e705e2 · 2019-04-01T07:51:48.000-07:00
Pull symlink fixes from Al Viro: "The ceph fix is already in mainline, Daniel's bpf fix is in bpf tree (1da6c4d "bpf: fix use after free in bpf_evict_inode"), the rest is in here" * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: debugfs: fix use-after-free on symlink traversal ubifs: fix use-after-free on symlink traversal jffs2: fix use-after-free on symlink traversal
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
@@ -163,19 +163,24 @@ static int debugfs_show_options(struct seq_file *m, struct dentry *root)
 	return 0;
 }
 
-static void debugfs_evict_inode(struct inode *inode)
+static void debugfs_i_callback(struct rcu_head *head)
 {
-	truncate_inode_pages_final(&inode->i_data);
-	clear_inode(inode);
+	struct inode *inode = container_of(head, struct inode, i_rcu);
 	if (S_ISLNK(inode->i_mode))
 		kfree(inode->i_link);
+	free_inode_nonrcu(inode);
+}
+
+static void debugfs_destroy_inode(struct inode *inode)
+{
+	call_rcu(&inode->i_rcu, debugfs_i_callback);
 }
 
 static const struct super_operations debugfs_super_operations = {
 	.statfs		= simple_statfs,
 	.remount_fs	= debugfs_remount,
 	.show_options	= debugfs_show_options,
-	.evict_inode	= debugfs_evict_inode,
+	.destroy_inode	= debugfs_destroy_inode,
 };
 
 static void debugfs_release_dentry(struct dentry *dentry)
diff --git a/fs/jffs2/readinode.c b/fs/jffs2/readinode.c
@@ -1414,11 +1414,6 @@ void jffs2_do_clear_inode(struct jffs2_sb_info *c, struct jffs2_inode_info *f)
 
 	jffs2_kill_fragtree(&f->fragtree, deleted?c:NULL);
 
-	if (f->target) {
-		kfree(f->target);
-		f->target = NULL;
-	}
-
 	fds = f->dents;
 	while(fds) {
 		fd = fds;
diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c
@@ -47,7 +47,10 @@ static struct inode *jffs2_alloc_inode(struct super_block *sb)
 static void jffs2_i_callback(struct rcu_head *head)
 {
 	struct inode *inode = container_of(head, struct inode, i_rcu);
-	kmem_cache_free(jffs2_inode_cachep, JFFS2_INODE_INFO(inode));
+	struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
+
+	kfree(f->target);
+	kmem_cache_free(jffs2_inode_cachep, f);
 }
 
 static void jffs2_destroy_inode(struct inode *inode)
diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
@@ -276,14 +276,12 @@ static void ubifs_i_callback(struct rcu_head *head)
 {
 	struct inode *inode = container_of(head, struct inode, i_rcu);
 	struct ubifs_inode *ui = ubifs_inode(inode);
+	kfree(ui->data);
 	kmem_cache_free(ubifs_inode_slab, ui);
 }
 
 static void ubifs_destroy_inode(struct inode *inode)
 {
-	struct ubifs_inode *ui = ubifs_inode(inode);
-
-	kfree(ui->data);
 	call_rcu(&inode->i_rcu, ubifs_i_callback);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,10 @@ static struct inode jffs2_alloc_inode(struct super_block sb)`
`47`	`47`	`static void jffs2_i_callback(struct rcu_head *head)`
`48`	`48`	`{`
`49`	`49`	`struct inode *inode = container_of(head, struct inode, i_rcu);`
`50`		`- kmem_cache_free(jffs2_inode_cachep, JFFS2_INODE_INFO(inode));`
	`50`	`+ struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);`
	`51`	`+`
	`52`	`+ kfree(f->target);`
	`53`	`+ kmem_cache_free(jffs2_inode_cachep, f);`
`51`	`54`	`}`
`52`	`55`
`53`	`56`	`static void jffs2_destroy_inode(struct inode *inode)`
Original file line number	Diff line number	Diff line change
`@@ -276,14 +276,12 @@ static void ubifs_i_callback(struct rcu_head *head)`
`276`	`276`	`{`
`277`	`277`	`struct inode *inode = container_of(head, struct inode, i_rcu);`
`278`	`278`	`struct ubifs_inode *ui = ubifs_inode(inode);`
	`279`	`+ kfree(ui->data);`
`279`	`280`	`kmem_cache_free(ubifs_inode_slab, ui);`
`280`	`281`	`}`
`281`	`282`
`282`	`283`	`static void ubifs_destroy_inode(struct inode *inode)`
`283`	`284`	`{`
`284`		`- struct ubifs_inode *ui = ubifs_inode(inode);`
`285`		`-`
`286`		`- kfree(ui->data);`
`287`	`285`	`call_rcu(&inode->i_rcu, ubifs_i_callback);`
`288`	`286`	`}`
`289`	`287`