Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
coda_flag_children(): fix a UAF
if de goes negative right under us, there's nothing to prevent inode
getting freed just as we call coda_flag_inode(). We are not holding
->d_lock, so it's not impossible. Not going to be reproducible on
bare hardware unless it's a realtime config, but it could happen on KVM.
Trivial to fix - just hold rcu_read_lock() over that loop.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+2
+2
fs/coda/cache.c
+2
fs/coda/cache.c
···
93
93
struct dentry *de;
94
94
95
95
spin_lock(&parent->d_lock);
96
+
rcu_read_lock();
96
97
hlist_for_each_entry(de, &parent->d_children, d_sib) {
97
98
struct inode *inode = d_inode_rcu(de);
98
99
/* don't know what to do with negative dentries */
99
100
if (inode)
100
101
coda_flag_inode(inode, flag);
101
102
}
103
+
rcu_read_unlock();
102
104
spin_unlock(&parent->d_lock);
103
105
}
104
106