CVE-2024-39276

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix mb_cache_entry&amp;#39;s e_refcnt leak in ext4_xattr_block_cache_find()<br /> <br /> Syzbot reports a warning as follows:<br /> <br /> ============================================<br /> WARNING: CPU: 0 PID: 5075 at fs/mbcache.c:419 mb_cache_destroy+0x224/0x290<br /> Modules linked in:<br /> CPU: 0 PID: 5075 Comm: syz-executor199 Not tainted 6.9.0-rc6-gb947cc5bf6d7<br /> RIP: 0010:mb_cache_destroy+0x224/0x290 fs/mbcache.c:419<br /> Call Trace:<br /> <br /> ext4_put_super+0x6d4/0xcd0 fs/ext4/super.c:1375<br /> generic_shutdown_super+0x136/0x2d0 fs/super.c:641<br /> kill_block_super+0x44/0x90 fs/super.c:1675<br /> ext4_kill_sb+0x68/0xa0 fs/ext4/super.c:7327<br /> [...]<br /> ============================================<br /> <br /> This is because when finding an entry in ext4_xattr_block_cache_find(), if<br /> ext4_sb_bread() returns -ENOMEM, the ce&amp;#39;s e_refcnt, which has already grown<br /> in the __entry_find(), won&amp;#39;t be put away, and eventually trigger the above<br /> issue in mb_cache_destroy() due to reference count leakage.<br /> <br /> So call mb_cache_entry_put() on the -ENOMEM error branch as a quick fix.