CVE-2024-49870

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cachefiles: fix dentry leak in cachefiles_open_file()<br /> <br /> A dentry leak may be caused when a lookup cookie and a cull are concurrent:<br /> <br /> P1 | P2<br /> -----------------------------------------------------------<br /> cachefiles_lookup_cookie<br /> cachefiles_look_up_object<br /> lookup_one_positive_unlocked<br /> // get dentry<br /> cachefiles_cull<br /> inode-&gt;i_flags |= S_KERNEL_FILE;<br /> cachefiles_open_file<br /> cachefiles_mark_inode_in_use<br /> __cachefiles_mark_inode_in_use<br /> can_use = false<br /> if (!(inode-&gt;i_flags &amp; S_KERNEL_FILE))<br /> can_use = true<br /> return false<br /> return false<br /> // Returns an error but doesn&amp;#39;t put dentry<br /> <br /> After that the following WARNING will be triggered when the backend folder<br /> is umounted:<br /> <br /> ==================================================================<br /> BUG: Dentry 000000008ad87947{i=7a,n=Dx_1_1.img} still in use (1) [unmount of ext4 sda]<br /> WARNING: CPU: 4 PID: 359261 at fs/dcache.c:1767 umount_check+0x5d/0x70<br /> CPU: 4 PID: 359261 Comm: umount Not tainted 6.6.0-dirty #25<br /> RIP: 0010:umount_check+0x5d/0x70<br /> Call Trace:<br /> <br /> d_walk+0xda/0x2b0<br /> do_one_tree+0x20/0x40<br /> shrink_dcache_for_umount+0x2c/0x90<br /> generic_shutdown_super+0x20/0x160<br /> kill_block_super+0x1a/0x40<br /> ext4_kill_sb+0x22/0x40<br /> deactivate_locked_super+0x35/0x80<br /> cleanup_mnt+0x104/0x160<br /> ==================================================================<br /> <br /> Whether cachefiles_open_file() returns true or false, the reference count<br /> obtained by lookup_positive_unlocked() in cachefiles_look_up_object()<br /> should be released.<br /> <br /> Therefore release that reference count in cachefiles_look_up_object() to<br /> fix the above issue and simplify the code.