diff options
| author | Al Viro <viro@zeniv.linux.org.uk> | 2023-09-28 00:19:39 -0400 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2024-02-25 02:10:32 -0500 |
| commit | 053fc4f755ad43cf35210677bcba798ccdc48d0c (patch) | |
| tree | 9a05104524fe0f42cf0071bc5619ab17dbca5b72 /fs/fuse/cuse.c | |
| parent | e31f0a57ae1ab2f6e17adb8e602bc120ad722232 (diff) | |
| download | lwn-053fc4f755ad43cf35210677bcba798ccdc48d0c.tar.gz lwn-053fc4f755ad43cf35210677bcba798ccdc48d0c.zip | |
fuse: fix UAF in rcu pathwalks
->permission(), ->get_link() and ->inode_get_acl() might dereference
->s_fs_info (and, in case of ->permission(), ->s_fs_info->fc->user_ns
as well) when called from rcu pathwalk.
Freeing ->s_fs_info->fc is rcu-delayed; we need to make freeing ->s_fs_info
and dropping ->user_ns rcu-delayed too.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'fs/fuse/cuse.c')
| -rw-r--r-- | fs/fuse/cuse.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c index 91e89e68177e..b6cad106c37e 100644 --- a/fs/fuse/cuse.c +++ b/fs/fuse/cuse.c @@ -474,8 +474,7 @@ err: static void cuse_fc_release(struct fuse_conn *fc) { - struct cuse_conn *cc = fc_to_cc(fc); - kfree_rcu(cc, fc.rcu); + kfree(fc_to_cc(fc)); } /** |