coda_flag_children(): fix a UAF

if de goes negative right under us, there's nothing to prevent inode
getting freed just as we call coda_flag_inode().  We are not holding
->d_lock, so it's not impossible.  Not going to be reproducible on
bare hardware unless it's a realtime config, but it could happen on KVM.

Trivial to fix - just hold rcu_read_lock() over that loop.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

diff --git a/fs/coda/cache.c b/fs/coda/cache.c
index 970f0022ec528a2bc15687ede18776475721642b..24513129630043536c5daf9ff35c156be61ad900 100644 (file)
--- a/fs/coda/cache.c
+++ b/fs/coda/cache.c
@@ -93,12 +93,14 @@ static void coda_flag_children(struct dentry *parent, int flag)
        struct dentry *de;
 
        spin_lock(&parent->d_lock);
+       rcu_read_lock();
        hlist_for_each_entry(de, &parent->d_children, d_sib) {
                struct inode *inode = d_inode_rcu(de);
                /* don't know what to do with negative dentries */
                if (inode)
                        coda_flag_inode(inode, flag);
        }
+       rcu_read_unlock();
        spin_unlock(&parent->d_lock);
 }