CVE-2023-54127

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()<br /> <br /> Syzkaller reported the following issue:<br /> ==================================================================<br /> BUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline]<br /> BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800<br /> Free of addr ffff888086408000 by task syz-executor.4/12750<br /> [...]<br /> Call Trace:<br /> <br /> [...]<br /> kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482<br /> ____kasan_slab_free+0xfb/0x120<br /> kasan_slab_free include/linux/kasan.h:177 [inline]<br /> slab_free_hook mm/slub.c:1781 [inline]<br /> slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807<br /> slab_free mm/slub.c:3787 [inline]<br /> __kmem_cache_free+0x71/0x110 mm/slub.c:3800<br /> dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264<br /> jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87<br /> jfs_put_super+0x86/0x190 fs/jfs/super.c:194<br /> generic_shutdown_super+0x130/0x310 fs/super.c:492<br /> kill_block_super+0x79/0xd0 fs/super.c:1386<br /> deactivate_locked_super+0xa7/0xf0 fs/super.c:332<br /> cleanup_mnt+0x494/0x520 fs/namespace.c:1291<br /> task_work_run+0x243/0x300 kernel/task_work.c:179<br /> resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]<br /> exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171<br /> exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203<br /> __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]<br /> syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296<br /> do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> [...]<br /> <br /> <br /> Allocated by task 13352:<br /> kasan_save_stack mm/kasan/common.c:45 [inline]<br /> kasan_set_track+0x3d/0x60 mm/kasan/common.c:52<br /> ____kasan_kmalloc mm/kasan/common.c:371 [inline]<br /> __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380<br /> kmalloc include/linux/slab.h:580 [inline]<br /> dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164<br /> jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121<br /> jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556<br /> mount_bdev+0x26c/0x3a0 fs/super.c:1359<br /> legacy_get_tree+0xea/0x180 fs/fs_context.c:610<br /> vfs_get_tree+0x88/0x270 fs/super.c:1489<br /> do_new_mount+0x289/0xad0 fs/namespace.c:3145<br /> do_mount fs/namespace.c:3488 [inline]<br /> __do_sys_mount fs/namespace.c:3697 [inline]<br /> __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> Freed by task 13352:<br /> kasan_save_stack mm/kasan/common.c:45 [inline]<br /> kasan_set_track+0x3d/0x60 mm/kasan/common.c:52<br /> kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518<br /> ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236<br /> kasan_slab_free include/linux/kasan.h:177 [inline]<br /> slab_free_hook mm/slub.c:1781 [inline]<br /> slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807<br /> slab_free mm/slub.c:3787 [inline]<br /> __kmem_cache_free+0x71/0x110 mm/slub.c:3800<br /> dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264<br /> jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247<br /> jfs_remount+0x3db/0x710 fs/jfs/super.c:454<br /> reconfigure_super+0x3bc/0x7b0 fs/super.c:935<br /> vfs_fsconfig_locked fs/fsopen.c:254 [inline]<br /> __do_sys_fsconfig fs/fsopen.c:439 [inline]<br /> __se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> [...]<br /> <br /> JFS_SBI(ipbmap-&gt;i_sb)-&gt;bmap wasn&amp;#39;t set to NULL after kfree() in<br /> dbUnmount().<br /> <br /> Syzkaller uses faultinject to reproduce this KASAN double-free<br /> warning. The issue is triggered if either diMount() or dbMount() fail<br /> in jfs_remount(), since diUnmount() or dbUnmount() already happened in<br /> such a case - they will do double-free on next execution: jfs_umount<br /> or jfs_remount.<br /> <br /> Tested on both upstream and jfs-next by syzkaller.