CVE-2026-43470

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfs: return EISDIR on nfs3_proc_create if d_alias is a dir<br /> <br /> If we found an alias through nfs3_do_create/nfs_add_or_obtain<br /> /d_splice_alias which happens to be a dir dentry, we don&amp;#39;t return<br /> any error, and simply forget about this alias, but the original<br /> dentry we were adding and passed as parameter remains negative.<br /> <br /> This later causes an oops on nfs_atomic_open_v23/finish_open since we<br /> supply a negative dentry to do_dentry_open.<br /> <br /> This has been observed running lustre-racer, where dirs and files are<br /> created/removed concurrently with the same name and O_EXCL is not<br /> used to open files (frequent file redirection).<br /> <br /> While d_splice_alias typically returns a directory alias or NULL, we<br /> explicitly check d_is_dir() to ensure that we don&amp;#39;t attempt to perform<br /> file operations (like finish_open) on a directory inode, which triggers<br /> the observed oops.