From: Jeff Layton <jlayton@kernel.org>
Date: Fri, 26 Apr 2019 13:33:39 -0400
Subject: ceph: fix potential use-after-free in ceph_mdsc_build_path
Git-commit: 69a10fb3f4b8769ffd44e4eaa662ab691fa61f4c
Patch-mainline: v5.2-rc1
References: bsc#1138681
temp is not defined outside of the RCU critical section here. Ensure
we grab that value before we drop the rcu_read_lock.
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Acked-by: Luis Henriques <lhenriques@suse.com>
---
fs/ceph/mds_client.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -1883,13 +1883,14 @@ static inline u64 __get_oldest_tid(stru
* Encode hidden .snap dirs as a double /, i.e.
* foo/.snap/bar -> foo//bar
*/
-char *ceph_mdsc_build_path(struct dentry *dentry, int *plen, u64 *base,
+char *ceph_mdsc_build_path(struct dentry *dentry, int *plen, u64 *pbase,
int stop_on_nosnap)
{
struct dentry *temp;
char *path;
int len, pos;
unsigned seq;
+ u64 base;
if (!dentry)
return ERR_PTR(-EINVAL);
@@ -1945,6 +1946,7 @@ retry:
path[--pos] = '/';
temp = temp->d_parent;
}
+ base = ceph_ino(d_inode(temp));
rcu_read_unlock();
if (pos != 0 || read_seqretry(&rename_lock, seq)) {
pr_err("build_path did not end path lookup where "
@@ -1957,10 +1959,10 @@ retry:
goto retry;
}
- *base = ceph_ino(d_inode(temp));
+ *pbase = base;
*plen = len;
dout("build_path on %p %d built %llx '%.*s'\n",
- dentry, d_count(dentry), *base, len, path);
+ dentry, d_count(dentry), base, len, path);
return path;
}