From d9e91878322107cd0127ffa3cd9af33aa5f240e4 Mon Sep 17 00:00:00 2001
From: "Yan, Zheng" <zyan@redhat.com>
Date: Tue, 19 Jun 2018 10:39:19 +0800
Subject: [PATCH] client: fix use-after-free in Client::link()

Fixes: http://tracker.ceph.com/issues/24557
Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
---
 src/client/Client.cc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/client/Client.cc b/src/client/Client.cc
index 213b78465d4f8..1b2a209c5cc02 100644
--- a/src/client/Client.cc
+++ b/src/client/Client.cc
@@ -2975,8 +2975,10 @@ Dentry* Client::link(Dir *dir, const string& name, Inode *in, Dentry *dn)
   }
 
   if (in) {    // link to inode
+    InodeRef tmp_ref;
     // only one parent for directories!
     if (in->is_dir() && !in->dentries.empty()) {
+      tmp_ref = in; // prevent unlink below from freeing the inode.
       Dentry *olddn = in->get_first_parent();
       assert(olddn->dir != dir || olddn->name != name);
       Inode *old_diri = olddn->dir->parent_inode;
-- 
2.39.5