Candidate: CVE-2009-2908
Description:
 When calling vfs_unlink() on the lower dentry, d_delete() turns the
 dentry into a negative dentry when the d_count is 1.  This eventually
 caused a NULL pointer deref when a read() or write() was done and the
 negative dentry's d_inode was dereferenced in
 ecryptfs_read_update_atime() or ecryptfs_getxattr().
References:
 http://www.openwall.com/lists/oss-security/2009/10/06/1
 http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.31.y.git;a=commit;h=afc2b6932f48f200736d3e36ad66fee0ec733136
 https://bugzilla.redhat.com/show_bug.cgi?id=527534
Notes:
 jmm> Introduced in 2.6.19
Bugs:
upstream: released (2.6.31.2) [afc2b6932f48f200736d3e36ad66fee0ec733136], released (2.6.32-rc3) [9c2d2056647790c5034d722bd24e9d913ebca73c]
linux-2.6: released (2.6.31-1)
2.6.18-etch-security: N/A
2.6.24-etch-security: released (2.6.24-6~etchnhalf.9etch1) [bugfix/all/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch]
2.6.26-lenny-security: released (2.6.26-19lenny1) [bugfix/all/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch]