${URL}: A race condition was found in Linux kernel present since v3.14-rc1 upto v4.12 including. The race happens between threads of inotify_handle_event() and vfs_rename() while running the rename operation against the same file. The next slab data or the slab's free list pointer can be corrupted with attacker-controlled data as a result of the race. References: https://bugzilla.redhat.com/show_bug.cgi?id=1468283 https://access.redhat.com/security/vulnerabilities/3112931 https://patchwork.kernel.org/patch/9755753/ https://patchwork.kernel.org/patch/9755757/ An upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=49d31c2f389acfe83417083e1208422b4091cd9
Fixed in 4.9.41, 4.13