Commit e252ed89 authored Feb 01, 2026 by Al Viro

coda_flag_children(): fix a UAF



if de goes negative right under us, there's nothing to prevent inode
getting freed just as we call coda_flag_inode().  We are not holding
->d_lock, so it's not impossible.  Not going to be reproducible on
bare hardware unless it's a realtime config, but it could happen on KVM.

Trivial to fix - just hold rcu_read_lock() over that loop.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

parent e6d68367

fs/coda/cache.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -93,12 +93,14 @@ static void coda_flag_children(struct dentry *parent, int flag)
		struct dentry *de;

		spin_lock(&parent->d_lock);
		rcu_read_lock();
		hlist_for_each_entry(de, &parent->d_children, d_sib) {
		struct inode *inode = d_inode_rcu(de);
		/* don't know what to do with negative dentries */
		if (inode)
		coda_flag_inode(inode, flag);
		}
		rcu_read_unlock();
		spin_unlock(&parent->d_lock);
		}