CVE-2022-50755

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> udf: Avoid double brelse() in udf_rename()<br /> <br /> syzbot reported a warning like below [1]:<br /> <br /> VFS: brelse: Trying to free free buffer<br /> WARNING: CPU: 2 PID: 7301 at fs/buffer.c:1145 __brelse+0x67/0xa0<br /> ...<br /> Call Trace:<br /> <br /> invalidate_bh_lru+0x99/0x150<br /> smp_call_function_many_cond+0xe2a/0x10c0<br /> ? generic_remap_file_range_prep+0x50/0x50<br /> ? __brelse+0xa0/0xa0<br /> ? __mutex_lock+0x21c/0x12d0<br /> ? smp_call_on_cpu+0x250/0x250<br /> ? rcu_read_lock_sched_held+0xb/0x60<br /> ? lock_release+0x587/0x810<br /> ? __brelse+0xa0/0xa0<br /> ? generic_remap_file_range_prep+0x50/0x50<br /> on_each_cpu_cond_mask+0x3c/0x80<br /> blkdev_flush_mapping+0x13a/0x2f0<br /> blkdev_put_whole+0xd3/0xf0<br /> blkdev_put+0x222/0x760<br /> deactivate_locked_super+0x96/0x160<br /> deactivate_super+0xda/0x100<br /> cleanup_mnt+0x222/0x3d0<br /> task_work_run+0x149/0x240<br /> ? task_work_cancel+0x30/0x30<br /> do_exit+0xb29/0x2a40<br /> ? reacquire_held_locks+0x4a0/0x4a0<br /> ? do_raw_spin_lock+0x12a/0x2b0<br /> ? mm_update_next_owner+0x7c0/0x7c0<br /> ? rwlock_bug.part.0+0x90/0x90<br /> ? zap_other_threads+0x234/0x2d0<br /> do_group_exit+0xd0/0x2a0<br /> __x64_sys_exit_group+0x3a/0x50<br /> do_syscall_64+0x34/0xb0<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> The cause of the issue is that brelse() is called on both ofibh.sbh<br /> and ofibh.ebh by udf_find_entry() when it returns NULL. However,<br /> brelse() is called by udf_rename(), too. So, b_count on buffer_head<br /> becomes unbalanced.<br /> <br /> This patch fixes the issue by not calling brelse() by udf_rename()<br /> when udf_find_entry() returns NULL.