[PATCH 03/13] jffs2: fix use-after-free on symlink traversal
Sebastian Huber
sebastian.huber at embedded-brains.de
Fri Jun 10 08:20:55 UTC 2022
From: Al Viro <viro at zeniv.linux.org.uk>
free the symlink body after the same RCU delay we have for freeing the
struct inode itself, so that traversal during RCU pathwalk wouldn't step
into freed memory.
Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
---
cpukit/libfs/src/jffs2/src/readinode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/cpukit/libfs/src/jffs2/src/readinode.c b/cpukit/libfs/src/jffs2/src/readinode.c
index e6c9452c03..c4e32ead47 100644
--- a/cpukit/libfs/src/jffs2/src/readinode.c
+++ b/cpukit/libfs/src/jffs2/src/readinode.c
@@ -1434,11 +1434,12 @@ void jffs2_do_clear_inode(struct jffs2_sb_info *c, struct jffs2_inode_info *f)
}
jffs2_kill_fragtree(&f->fragtree, deleted?c:NULL);
-
+#ifdef __rtems__
if (f->target) {
kfree(f->target);
f->target = NULL;
}
+#endif /* __rtems__ */
fds = f->dents;
while(fds) {
--
2.35.3
More information about the devel
mailing list