coda_flag_children(): fix a UAF

Al Viro · Al Viro · commit e252ed898857 · 2026-04-04T21:03:13.000-04:00
if de goes negative right under us, there's nothing to prevent inode
getting freed just as we call coda_flag_inode().  We are not holding
-&gt;d_lock, so it's not impossible.  Not going to be reproducible on
bare hardware unless it's a realtime config, but it could happen on KVM.

Trivial to fix - just hold rcu_read_lock() over that loop.

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
diff --git a/fs/coda/cache.c b/fs/coda/cache.c
@@ -93,12 +93,14 @@ static void coda_flag_children(struct dentry *parent, int flag)
 	struct dentry *de;
 
 	spin_lock(&parent->d_lock);
+	rcu_read_lock();
 	hlist_for_each_entry(de, &parent->d_children, d_sib) {
 		struct inode *inode = d_inode_rcu(de);
 		/* don't know what to do with negative dentries */
 		if (inode)
 			coda_flag_inode(inode, flag);
 	}
+	rcu_read_unlock();
 	spin_unlock(&parent->d_lock);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -93,12 +93,14 @@ static void coda_flag_children(struct dentry *parent, int flag)`
`93`	`93`	`struct dentry *de;`
`94`	`94`
`95`	`95`	`spin_lock(&parent->d_lock);`
	`96`	`+ rcu_read_lock();`
`96`	`97`	`hlist_for_each_entry(de, &parent->d_children, d_sib) {`
`97`	`98`	`struct inode *inode = d_inode_rcu(de);`
`98`	`99`	`/* don't know what to do with negative dentries */`
`99`	`100`	`if (inode)`
`100`	`101`	`coda_flag_inode(inode, flag);`
`101`	`102`	`}`
	`103`	`+ rcu_read_unlock();`
`102`	`104`	`spin_unlock(&parent->d_lock);`
`103`	`105`	`}`
`104`	`106`