CVE-2023-52566

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: fix potential use after free in nilfs_gccache_submit_read_data()<br /> <br /> In nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the<br /> reference count of bh when the call to nilfs_dat_translate() fails. If<br /> the reference count hits 0 and its owner page gets unlocked, bh may be<br /> freed. However, bh-&gt;b_page is dereferenced to put the page after that,<br /> which may result in a use-after-free bug. This patch moves the release<br /> operation after unlocking and putting the page.<br /> <br /> NOTE: The function in question is only called in GC, and in combination<br /> with current userland tools, address translation using DAT does not occur<br /> in that function, so the code path that causes this issue will not be<br /> executed. However, it is possible to run that code path by intentionally<br /> modifying the userland GC library or by calling the GC ioctl directly.<br /> <br /> [konishi.ryusuke@gmail.com: NOTE added to the commit log]