diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2020-08-12 05:15:18 +0100 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2020-08-12 10:22:39 -0700 |
commit | 24fb33d40d60bd7d196400e7d5b26ff566fd98b7 (patch) | |
tree | 91905714cf8ebad56a8d3a5e889d60d774e5e92e /fs/namei.c | |
parent | fb893de323e2d39f7a1f6df425703a2edbdf56ea (diff) |
fix breakage in do_rmdir()
syzbot reported and bisected a use-after-free due to the recent init
cleanups.
The putname() should happen only after we'd *not* branched to retry,
same as it's done in do_unlinkat().
Reported-by: syzbot+bbeb1c88016c7db4aa24@syzkaller.appspotmail.com
Fixes: e24ab0ef689d "fs: push the getname from do_rmdir into the callers"
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/namei.c')
-rw-r--r-- | fs/namei.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/namei.c b/fs/namei.c index fde8fe086c09..9fa10c614de7 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -3770,11 +3770,11 @@ exit2: mnt_drop_write(path.mnt); exit1: path_put(&path); - putname(name); if (retry_estale(error, lookup_flags)) { lookup_flags |= LOOKUP_REVAL; goto retry; } + putname(name); return error; } |