fuse: fix UAF in rcu pathwalks

->permission(), ->get_link() and ->inode_get_acl() might dereference ->s_fs_info (and, in case of ->permission(), ->s_fs_info->fc->user_ns as well) when called from rcu pathwalk. Freeing ->s_fs_info->fc is rcu-delayed; we need to make freeing ->s_fs_info and dropping ->user_ns rcu-delayed too. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
author: Al Viro <viro@zeniv.linux.org.uk> 2023-09-28 00:19:39 -0400
committer: Al Viro <viro@zeniv.linux.org.uk> 2024-02-25 02:10:32 -0500
commit: 053fc4f755ad43cf35210677bcba798ccdc48d0c (patch)
tree: 9a05104524fe0f42cf0071bc5619ab17dbca5b72 /fs/fuse/fuse_i.h
parent: e31f0a57ae1ab2f6e17adb8e602bc120ad722232 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
index 1df83eebda92..bcbe34488862 100644
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -888,6 +888,7 @@ struct fuse_mount {
 
 	/* Entry on fc->mounts */
 	struct list_head fc_entry;
+	struct rcu_head rcu;
 };
 
 static inline struct fuse_mount *get_fuse_mount_super(struct super_block *sb)
author	Al Viro <viro@zeniv.linux.org.uk>	2023-09-28 00:19:39 -0400
committer	Al Viro <viro@zeniv.linux.org.uk>	2024-02-25 02:10:32 -0500
commit	053fc4f755ad43cf35210677bcba798ccdc48d0c (patch)
tree	9a05104524fe0f42cf0071bc5619ab17dbca5b72 /fs/fuse/fuse_i.h
parent	e31f0a57ae1ab2f6e17adb8e602bc120ad722232 (diff)