CVE-2023-53526

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> jbd2: check &amp;#39;jh-&gt;b_transaction&amp;#39; before removing it from checkpoint<br /> <br /> Following process will corrupt ext4 image:<br /> Step 1:<br /> jbd2_journal_commit_transaction<br /> __jbd2_journal_insert_checkpoint(jh, commit_transaction)<br /> // Put jh into trans1-&gt;t_checkpoint_list<br /> journal-&gt;j_checkpoint_transactions = commit_transaction<br /> // Put trans1 into journal-&gt;j_checkpoint_transactions<br /> <br /> Step 2:<br /> do_get_write_access<br /> test_clear_buffer_dirty(bh) // clear buffer dirty，set jbd dirty<br /> __jbd2_journal_file_buffer(jh, transaction) // jh belongs to trans2<br /> <br /> Step 3:<br /> drop_cache<br /> journal_shrink_one_cp_list<br /> jbd2_journal_try_remove_checkpoint<br /> if (!trylock_buffer(bh)) // lock bh, true<br /> if (buffer_dirty(bh)) // buffer is not dirty<br /> __jbd2_journal_remove_checkpoint(jh)<br /> // remove jh from trans1-&gt;t_checkpoint_list<br /> <br /> Step 4:<br /> jbd2_log_do_checkpoint<br /> trans1 = journal-&gt;j_checkpoint_transactions<br /> // jh is not in trans1-&gt;t_checkpoint_list<br /> jbd2_cleanup_journal_tail(journal) // trans1 is done<br /> <br /> Step 5: Power cut, trans2 is not committed, jh is lost in next mounting.<br /> <br /> Fix it by checking &amp;#39;jh-&gt;b_transaction&amp;#39; before remove it from checkpoint.