ceph: fix potential use-after-free in ceph_mdsc_build_path

temp is not defined outside of the RCU critical section here. Ensure we grab that value before we drop the rcu_read_lock. Reported-by: Al Viro <[email protected]> Signed-off-by: Jeff Layton <[email protected]> Signed-off-by: Ilya Dryomov <[email protected]>
chewitt · May 7, 2019 · 69a10fb · 69a10fb
1 parent ff4a80b
commit 69a10fb
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
@@ -2089,13 +2089,14 @@ static inline  u64 __get_oldest_tid(struct ceph_mds_client *mdsc)
  * Encode hidden .snap dirs as a double /, i.e.
  *   foo/.snap/bar -> foo//bar
  */
-char *ceph_mdsc_build_path(struct dentry *dentry, int *plen, u64 *base,
+char *ceph_mdsc_build_path(struct dentry *dentry, int *plen, u64 *pbase,
 			   int stop_on_nosnap)
 {
 	struct dentry *temp;
 	char *path;
 	int len, pos;
 	unsigned seq;
+	u64 base;
 
 	if (!dentry)
 		return ERR_PTR(-EINVAL);
@@ -2151,6 +2152,7 @@ char *ceph_mdsc_build_path(struct dentry *dentry, int *plen, u64 *base,
 			path[--pos] = '/';
 		temp = temp->d_parent;
 	}
+	base = ceph_ino(d_inode(temp));
 	rcu_read_unlock();
 	if (pos != 0 || read_seqretry(&rename_lock, seq)) {
 		pr_err("build_path did not end path lookup where "
@@ -2163,10 +2165,10 @@ char *ceph_mdsc_build_path(struct dentry *dentry, int *plen, u64 *base,
 		goto retry;
 	}
 
-	*base = ceph_ino(d_inode(temp));
+	*pbase = base;
 	*plen = len;
 	dout("build_path on %p %d built %llx '%.*s'\n",
-	     dentry, d_count(dentry), *base, len, path);
+	     dentry, d_count(dentry), base, len, path);
 	return path;
 }