]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
projects / thirdparty / kernel / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e6d6836) | patch
coda_flag_children(): fix a UAF
authorAl Viro <viro@zeniv.linux.org.uk>
Sun, 1 Feb 2026 17:33:37 +0000 (12:33 -0500)
committerAl Viro <viro@zeniv.linux.org.uk>
Sun, 5 Apr 2026 01:03:13 +0000 (21:03 -0400)
commite252ed8988578f01da5a4f5aa4c2269f96f03951
treee6d6832d9a313a8ec12fb6b5894f23150873a729tree | snapshot
parente6d683673167763ac364108b0b0eb10d0c605868commit | diff
coda_flag_children(): fix a UAF

if de goes negative right under us, there's nothing to prevent inode
getting freed just as we call coda_flag_inode().  We are not holding
->d_lock, so it's not impossible.  Not going to be reproducible on
bare hardware unless it's a realtime config, but it could happen on KVM.

Trivial to fix - just hold rcu_read_lock() over that loop.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
fs/coda/cache.c diff | blob | blame | history
A mirror of Linus' kernel repository