diff options
| author | Al Viro <viro@zeniv.linux.org.uk> | 2023-09-28 00:19:39 -0400 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2024-02-25 02:10:32 -0500 |
| commit | 053fc4f755ad43cf35210677bcba798ccdc48d0c (patch) | |
| tree | 9a05104524fe0f42cf0071bc5619ab17dbca5b72 /fs/fuse/fuse_i.h | |
| parent | e31f0a57ae1ab2f6e17adb8e602bc120ad722232 (diff) | |
| download | lwn-053fc4f755ad43cf35210677bcba798ccdc48d0c.tar.gz lwn-053fc4f755ad43cf35210677bcba798ccdc48d0c.zip | |
fuse: fix UAF in rcu pathwalks
->permission(), ->get_link() and ->inode_get_acl() might dereference
->s_fs_info (and, in case of ->permission(), ->s_fs_info->fc->user_ns
as well) when called from rcu pathwalk.
Freeing ->s_fs_info->fc is rcu-delayed; we need to make freeing ->s_fs_info
and dropping ->user_ns rcu-delayed too.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'fs/fuse/fuse_i.h')
| -rw-r--r-- | fs/fuse/fuse_i.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h index 1df83eebda92..bcbe34488862 100644 --- a/fs/fuse/fuse_i.h +++ b/fs/fuse/fuse_i.h @@ -888,6 +888,7 @@ struct fuse_mount { /* Entry on fc->mounts */ struct list_head fc_entry; + struct rcu_head rcu; }; static inline struct fuse_mount *get_fuse_mount_super(struct super_block *sb) |