github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-12 16:18:45 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

coda_flag_children(): fix a UAF

Browse Source 
if de goes negative right under us, there's nothing to prevent inode
getting freed just as we call coda_flag_inode().  We are not holding
->d_lock, so it's not impossible.  Not going to be reproducible on
bare hardware unless it's a realtime config, but it could happen on KVM.

Trivial to fix - just hold rcu_read_lock() over that loop.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This commit is contained in:
Al Viro 2026-02-01 12:33:37 -05:00
parent e6d6836731
commit e252ed8988
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
fs/coda/cache.c
View File

@ -93,12 +93,14 @@ static void coda_flag_children(struct dentry *parent, int flag)
struct dentry *de;
spin_lock(&parent->d_lock);
rcu_read_lock();
hlist_for_each_entry(de, &parent->d_children, d_sib) {
struct inode *inode = d_inode_rcu(de);
/* don't know what to do with negative dentries */
if (inode)
coda_flag_inode(inode, flag);
}
rcu_read_unlock();
spin_unlock(&parent->d_lock);
}