CVE-2024-42104

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: add missing check for inode numbers on directory entries<br /> <br /> Syzbot reported that mounting and unmounting a specific pattern of<br /> corrupted nilfs2 filesystem images causes a use-after-free of metadata<br /> file inodes, which triggers a kernel bug in lru_add_fn().<br /> <br /> As Jan Kara pointed out, this is because the link count of a metadata file<br /> gets corrupted to 0, and nilfs_evict_inode(), which is called from iput(),<br /> tries to delete that inode (ifile inode in this case).<br /> <br /> The inconsistency occurs because directories containing the inode numbers<br /> of these metadata files that should not be visible in the namespace are<br /> read without checking.<br /> <br /> Fix this issue by treating the inode numbers of these internal files as<br /> errors in the sanity check helper when reading directory folios/pages.<br /> <br /> Also thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer<br /> analysis.