diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2019-03-26 01:39:50 +0000 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2019-04-01 00:31:02 -0400 |
commit | 4fdcfab5b5537c21891e22e65996d4d0dd8ab4ca (patch) | |
tree | d0c9167b762a5837ac3030d2f1e869454a4c4ac6 /fs/jffs2/readinode.c | |
parent | 9e98c678c2d6ae3a17cb2de55d17f69dddaa231b (diff) | |
download | lwn-4fdcfab5b5537c21891e22e65996d4d0dd8ab4ca.tar.gz lwn-4fdcfab5b5537c21891e22e65996d4d0dd8ab4ca.zip |
jffs2: fix use-after-free on symlink traversal
free the symlink body after the same RCU delay we have for freeing the
struct inode itself, so that traversal during RCU pathwalk wouldn't step
into freed memory.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'fs/jffs2/readinode.c')
-rw-r--r-- | fs/jffs2/readinode.c | 5 |
1 files changed, 0 insertions, 5 deletions
diff --git a/fs/jffs2/readinode.c b/fs/jffs2/readinode.c index 389ea53ea487..bccfc40b3a74 100644 --- a/fs/jffs2/readinode.c +++ b/fs/jffs2/readinode.c @@ -1414,11 +1414,6 @@ void jffs2_do_clear_inode(struct jffs2_sb_info *c, struct jffs2_inode_info *f) jffs2_kill_fragtree(&f->fragtree, deleted?c:NULL); - if (f->target) { - kfree(f->target); - f->target = NULL; - } - fds = f->dents; while(fds) { fd = fds; |