debugfs: fix use-after-free on symlink traversal

author Al Viro <viro@zeniv.linux.org.uk>

Tue, 26 Mar 2019 01:43:37 +0000 (01:43 +0000)

committer Al Viro <viro@zeniv.linux.org.uk>

Mon, 1 Apr 2019 04:31:02 +0000 (00:31 -0400)
author Al Viro <viro@zeniv.linux.org.uk>
Tue, 26 Mar 2019 01:43:37 +0000 (01:43 +0000)
committer Al Viro <viro@zeniv.linux.org.uk>
Mon, 1 Apr 2019 04:31:02 +0000 (00:31 -0400)
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c

index 95b5e78c22b1e98811d3aca9c64c2c5deb54c6fe..f25daa207421c50cf38b1e4771ef5ab3332e9be1 100644 (file)
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -163,19 +163,24 @@ static int debugfs_show_options(struct seq_file *m, struct dentry *root)
         return 0;
  }
  
-static void debugfs_evict_inode(struct inode *inode)
+static void debugfs_i_callback(struct rcu_head *head)
  {
-       truncate_inode_pages_final(&inode->i_data);
-       clear_inode(inode);
+       struct inode *inode = container_of(head, struct inode, i_rcu);
         if (S_ISLNK(inode->i_mode))
                 kfree(inode->i_link);
+       free_inode_nonrcu(inode);
+}
+
+static void debugfs_destroy_inode(struct inode *inode)
+{
+       call_rcu(&inode->i_rcu, debugfs_i_callback);
  }
  
  static const struct super_operations debugfs_super_operations = {
         .statfs         = simple_statfs,
         .remount_fs     = debugfs_remount,
         .show_options   = debugfs_show_options,
-       .evict_inode    = debugfs_evict_inode,
+       .destroy_inode  = debugfs_destroy_inode,
  };
  
  static void debugfs_release_dentry(struct dentry *dentry)
author	Al Viro <viro@zeniv.linux.org.uk>
	Tue, 26 Mar 2019 01:43:37 +0000 (01:43 +0000)
committer	Al Viro <viro@zeniv.linux.org.uk>
	Mon, 1 Apr 2019 04:31:02 +0000 (00:31 -0400)