CVE-2022-50751

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> configfs: fix possible memory leak in configfs_create_dir()<br /> <br /> kmemleak reported memory leaks in configfs_create_dir():<br /> <br /> unreferenced object 0xffff888009f6af00 (size 192):<br /> comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s)<br /> backtrace:<br /> kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273)<br /> new_fragment (./include/linux/slab.h:600 fs/configfs/dir.c:163)<br /> configfs_register_subsystem (fs/configfs/dir.c:1857)<br /> basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic<br /> do_one_initcall (init/main.c:1296)<br /> do_init_module (kernel/module/main.c:2455)<br /> ...<br /> <br /> unreferenced object 0xffff888003ba7180 (size 96):<br /> comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s)<br /> backtrace:<br /> kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273)<br /> configfs_new_dirent (./include/linux/slab.h:723 fs/configfs/dir.c:194)<br /> configfs_make_dirent (fs/configfs/dir.c:248)<br /> configfs_create_dir (fs/configfs/dir.c:296)<br /> configfs_attach_group.isra.28 (fs/configfs/dir.c:816 fs/configfs/dir.c:852)<br /> configfs_register_subsystem (fs/configfs/dir.c:1881)<br /> basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic<br /> do_one_initcall (init/main.c:1296)<br /> do_init_module (kernel/module/main.c:2455)<br /> ...<br /> <br /> This is because the refcount is not correct in configfs_make_dirent().<br /> For normal stage, the refcount is changing as:<br /> <br /> configfs_register_subsystem()<br /> configfs_create_dir()<br /> configfs_make_dirent()<br /> configfs_new_dirent() # set s_count = 1<br /> dentry-&gt;d_fsdata = configfs_get(sd); # s_count = 2<br /> ...<br /> configfs_unregister_subsystem()<br /> configfs_remove_dir()<br /> remove_dir()<br /> configfs_remove_dirent() # s_count = 1<br /> dput() ...<br /> *dentry_unlink_inode()*<br /> configfs_d_iput() # s_count = 0, release<br /> <br /> However, if we failed in configfs_create():<br /> <br /> configfs_register_subsystem()<br /> configfs_create_dir()<br /> configfs_make_dirent() # s_count = 2<br /> ...<br /> configfs_create() # fail<br /> -&gt;out_remove:<br /> configfs_remove_dirent(dentry)<br /> configfs_put(sd) # s_count = 1<br /> return PTR_ERR(inode);<br /> <br /> There is no inode in the error path, so the configfs_d_iput() is lost<br /> and makes sd and fragment memory leaked.<br /> <br /> To fix this, when we failed in configfs_create(), manually call<br /> configfs_put(sd) to keep the refcount correct.