From 22e83b00f5bcac4b0f306735ba7c84d7522d903d Mon Sep 17 00:00:00 2001
From: Al Viro <viro@zeniv.linux.org.uk>
Date: Tue, 26 Mar 2019 01:39:50 +0000
Subject: jffs2: fix use-after-free on symlink traversal

free the symlink body after the same RCU delay we have for freeing the
struct inode itself, so that traversal during RCU pathwalk wouldn't step
into freed memory.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
 cpukit/libfs/src/jffs2/src/readinode.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'cpukit/libfs')

diff --git a/cpukit/libfs/src/jffs2/src/readinode.c b/cpukit/libfs/src/jffs2/src/readinode.c
index e6c9452c03..c4e32ead47 100644
--- a/cpukit/libfs/src/jffs2/src/readinode.c
+++ b/cpukit/libfs/src/jffs2/src/readinode.c
@@ -1434,11 +1434,12 @@ void jffs2_do_clear_inode(struct jffs2_sb_info *c, struct jffs2_inode_info *f)
 	}
 
 	jffs2_kill_fragtree(&f->fragtree, deleted?c:NULL);
-
+#ifdef __rtems__
 	if (f->target) {
 		kfree(f->target);
 		f->target = NULL;
 	}
+#endif /* __rtems__ */
 
 	fds = f->dents;
 	while(fds) {
-- 
cgit v1.2.3