Linux Kernel Race Condition Vulnerability in File Handle Management

A race condition vulnerability has been identified in the Linux kernel's file handling system. The issue arises in the function 'may_decode_fh()', which calls 'has_locked_children()' without holding the necessary locks, leading to a potential 'oops' condition. This race condition is not present in other callers of 'has_locked_children()', as they properly hold the 'namespace_sem' and ensure a positive reference count on the relevant mount. To address this vulnerability, 'has_locked_children()' has been renamed to '__has_locked_children()', made static, and its users in 'fs/namespace.c' switched to the new version. The original 'has_locked_children()' now serves as a wrapper, calling '__has_locked_children()' under the appropriate lock.

Impact

Exploitation of this vulnerability could lead to a race condition, causing an 'oops' error, which indicates a serious problem in the kernel that could be exploited to crash the system or potentially escalate privileges.