hulk inclusion category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/13284 ------------------ In MFS, each anon_file pointers a cache object which holds the reference of real inode, but the inode can left only one reference in some cases. When the daemon process is exit, the anon file related with fd will be closed. If we call iput first, the inode may trigger eviction which destroys the cache object. So, we should iput later to avoid the UAF problem. Fixes: b31d6cf3607f ("mfs: Add user command for handling events") Signed-off-by: Hongbo Li <lihongbo22@huawei.com> --- fs/mfs/cache.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/mfs/cache.c b/fs/mfs/cache.c index 2675fe58b781..c06dcc9dc758 100644 --- a/fs/mfs/cache.c +++ b/fs/mfs/cache.c @@ -24,9 +24,11 @@ static int fd_release(struct inode *inode, struct file *file) if (object->fd > 0) { object->fd = -1; object->anon_file = NULL; + up_write(&object->rwsem); iput(object->mfs_inode); + } else { + up_write(&object->rwsem); } - up_write(&object->rwsem); return 0; } -- 2.34.1