CVE-2022-49007

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry()<br /> <br /> Syzbot reported a null-ptr-deref bug:<br /> <br /> NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP<br /> frequency pr_desc_bh is NULL and blocknr is 0 at nilfs_dat_commit_end() during<br /> a b-tree operation that cascadingly updates ancestor nodes of the b-tree,<br /> because nilfs_dat_commit_alloc() for a lower level block can initialize<br /> the blocknr on the same DAT entry between nilfs_dat_prepare_end() and<br /> nilfs_dat_commit_end().<br /> <br /> If this happens, nilfs_dat_commit_end() calls nilfs_dat_commit_free()<br /> without valid buffer heads in req-&gt;pr_desc_bh and req-&gt;pr_bitmap_bh, and<br /> causes the NULL pointer dereference above in<br /> nilfs_palloc_commit_free_entry() function, which leads to a crash.<br /> <br /> Fix this by adding a NULL check on req-&gt;pr_desc_bh and req-&gt;pr_bitmap_bh<br /> before nilfs_palloc_commit_free_entry() in nilfs_dat_commit_free().<br /> <br /> This also calls nilfs_error() in that case to notify that there is a fatal<br /> flaw in the filesystem metadata and prevent further operations.