CVE-2021-47638

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ubifs: rename_whiteout: Fix double free for whiteout_ui-&gt;data<br /> <br /> &amp;#39;whiteout_ui-&gt;data&amp;#39; will be freed twice if space budget fail for<br /> rename whiteout operation as following process:<br /> <br /> rename_whiteout<br /> dev = kmalloc<br /> whiteout_ui-&gt;data = dev<br /> kfree(whiteout_ui-&gt;data) // Free first time<br /> iput(whiteout)<br /> ubifs_free_inode<br /> kfree(ui-&gt;data) // Double free!<br /> <br /> KASAN reports:<br /> ==================================================================<br /> BUG: KASAN: double-free or invalid-free in ubifs_free_inode+0x4f/0x70<br /> Call Trace:<br /> kfree+0x117/0x490<br /> ubifs_free_inode+0x4f/0x70 [ubifs]<br /> i_callback+0x30/0x60<br /> rcu_do_batch+0x366/0xac0<br /> __do_softirq+0x133/0x57f<br /> <br /> Allocated by task 1506:<br /> kmem_cache_alloc_trace+0x3c2/0x7a0<br /> do_rename+0x9b7/0x1150 [ubifs]<br /> ubifs_rename+0x106/0x1f0 [ubifs]<br /> do_syscall_64+0x35/0x80<br /> <br /> Freed by task 1506:<br /> kfree+0x117/0x490<br /> do_rename.cold+0x53/0x8a [ubifs]<br /> ubifs_rename+0x106/0x1f0 [ubifs]<br /> do_syscall_64+0x35/0x80<br /> <br /> The buggy address belongs to the object at ffff88810238bed8 which<br /> belongs to the cache kmalloc-8 of size 8<br /> ==================================================================<br /> <br /> Let ubifs_free_inode() free &amp;#39;whiteout_ui-&gt;data&amp;#39;. BTW, delete unused<br /> assignment &amp;#39;whiteout_ui-&gt;data_len = 0&amp;#39;, process &amp;#39;ubifs_evict_inode()<br /> -&gt; ubifs_jnl_delete_inode() -&gt; ubifs_jnl_write_inode()&amp;#39; doesn&amp;#39;t need it<br /> (because &amp;#39;inc_nlink(whiteout)&amp;#39; won&amp;#39;t be excuted by &amp;#39;goto out_release&amp;#39;,<br /> and the nlink of whiteout inode is 0).