From: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun, 1 Feb 2026 17:33:37 +0000 (-0500)
Subject: coda_flag_children(): fix a UAF
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e252ed8988578f01da5a4f5aa4c2269f96f03951;p=thirdparty%2Fkernel%2Flinux.git

coda_flag_children(): fix a UAF

if de goes negative right under us, there's nothing to prevent inode
getting freed just as we call coda_flag_inode().  We are not holding
->d_lock, so it's not impossible.  Not going to be reproducible on
bare hardware unless it's a realtime config, but it could happen on KVM.

Trivial to fix - just hold rcu_read_lock() over that loop.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---

diff --git a/fs/coda/cache.c b/fs/coda/cache.c
index 970f0022ec52..245131296300 100644
--- a/fs/coda/cache.c
+++ b/fs/coda/cache.c
@@ -93,12 +93,14 @@ static void coda_flag_children(struct dentry *parent, int flag)
 	struct dentry *de;
 
 	spin_lock(&parent->d_lock);
+	rcu_read_lock();
 	hlist_for_each_entry(de, &parent->d_children, d_sib) {
 		struct inode *inode = d_inode_rcu(de);
 		/* don't know what to do with negative dentries */
 		if (inode)
 			coda_flag_inode(inode, flag);
 	}
+	rcu_read_unlock();
 	spin_unlock(&parent->d_lock);
 }