From 69a10fb3f4b8769ffd44e4eaa662ab691fa61f4c Mon Sep 17 00:00:00 2001 From: Jeff Layton Date: Fri, 26 Apr 2019 13:33:39 -0400 Subject: [PATCH] ceph: fix potential use-after-free in ceph_mdsc_build_path temp is not defined outside of the RCU critical section here. Ensure we grab that value before we drop the rcu_read_lock. Reported-by: Al Viro Signed-off-by: Jeff Layton Signed-off-by: Ilya Dryomov --- fs/ceph/mds_client.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c index 761cb669aa13..b01e2043b1b2 100644 --- a/fs/ceph/mds_client.c +++ b/fs/ceph/mds_client.c @@ -2089,13 +2089,14 @@ static inline u64 __get_oldest_tid(struct ceph_mds_client *mdsc) * Encode hidden .snap dirs as a double /, i.e. * foo/.snap/bar -> foo//bar */ -char *ceph_mdsc_build_path(struct dentry *dentry, int *plen, u64 *base, +char *ceph_mdsc_build_path(struct dentry *dentry, int *plen, u64 *pbase, int stop_on_nosnap) { struct dentry *temp; char *path; int len, pos; unsigned seq; + u64 base; if (!dentry) return ERR_PTR(-EINVAL); @@ -2151,6 +2152,7 @@ char *ceph_mdsc_build_path(struct dentry *dentry, int *plen, u64 *base, path[--pos] = '/'; temp = temp->d_parent; } + base = ceph_ino(d_inode(temp)); rcu_read_unlock(); if (pos != 0 || read_seqretry(&rename_lock, seq)) { pr_err("build_path did not end path lookup where " @@ -2163,10 +2165,10 @@ char *ceph_mdsc_build_path(struct dentry *dentry, int *plen, u64 *base, goto retry; } - *base = ceph_ino(d_inode(temp)); + *pbase = base; *plen = len; dout("build_path on %p %d built %llx '%.*s'\n", - dentry, d_count(dentry), *base, len, path); + dentry, d_count(dentry), base, len, path); return path; }