CVE-2024-26704

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix double-free of blocks due to wrong extents moved_len<br /> <br /> In ext4_move_extents(), moved_len is only updated when all moves are<br /> successfully executed, and only discards orig_inode and donor_inode<br /> preallocations when moved_len is not zero. When the loop fails to exit<br /> after successfully moving some extents, moved_len is not updated and<br /> remains at 0, so it does not discard the preallocations.<br /> <br /> If the moved extents overlap with the preallocated extents, the<br /> overlapped extents are freed twice in ext4_mb_release_inode_pa() and<br /> ext4_process_freed_data() (as described in commit 94d7c16cbbbd ("ext4:<br /> Fix double-free of blocks with EXT4_IOC_MOVE_EXT")), and bb_free is<br /> incremented twice. Hence when trim is executed, a zero-division bug is<br /> triggered in mb_update_avg_fragment_size() because bb_free is not zero<br /> and bb_fragments is zero.<br /> <br /> Therefore, update move_len after each extent move to avoid the issue.