autofs: fix use-after-free in lockless ->d_manage()

autofs_d_release() can overlap with lockless ->d_manage(),
ending up with autofs_dentry_ino() freed under the latter.
Make freeing autofs_info instances RCU-delayed...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

diff --git a/fs/autofs/autofs_i.h b/fs/autofs/autofs_i.h
index 70c132acdab1bcfe764f7aa28efe7be2c035e63b..e1091312abe1d88a1e7ae17f725f99ee93c4729b 100644 (file)
--- a/fs/autofs/autofs_i.h
+++ b/fs/autofs/autofs_i.h
@@ -71,6 +71,7 @@ struct autofs_info {
 
        kuid_t uid;
        kgid_t gid;
+       struct rcu_head rcu;
 };
 
 #define AUTOFS_INF_EXPIRING    (1<<0) /* dentry in the process of expiring */

diff --git a/fs/autofs/inode.c b/fs/autofs/inode.c
index 80597b88718b205f363cd2d93500bb7c3c1b9b29..fb0225f21c12550aceeebd7cb3779be553ab5885 100644 (file)
--- a/fs/autofs/inode.c
+++ b/fs/autofs/inode.c
@@ -36,7 +36,7 @@ void autofs_clean_ino(struct autofs_info *ino)
 
 void autofs_free_ino(struct autofs_info *ino)
 {
-       kfree(ino);
+       kfree_rcu(ino, rcu);
 }
 
 void autofs_kill_sb(struct super_block *sb)