Home

Description

In the Linux kernel, the following vulnerability has been resolved: jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount syzbot found an invalid-free in diUnmount: BUG: KASAN: double-free in slab_free mm/slub.c:3661 [inline] BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3674 Free of addr ffff88806f410000 by task syz-executor131/3632 CPU: 0 PID: 3632 Comm: syz-executor131 Not tainted 6.1.0-rc7-syzkaller-00012-gca57f02295f1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 print_address_description+0x74/0x340 mm/kasan/report.c:284 print_report+0x107/0x1f0 mm/kasan/report.c:395 kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:460 ____kasan_slab_free+0xfb/0x120 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1724 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1750 slab_free mm/slub.c:3661 [inline] __kmem_cache_free+0x71/0x110 mm/slub.c:3674 diUnmount+0xef/0x100 fs/jfs/jfs_imap.c:195 jfs_umount+0x108/0x370 fs/jfs/jfs_umount.c:63 jfs_put_super+0x86/0x190 fs/jfs/super.c:194 generic_shutdown_super+0x130/0x310 fs/super.c:492 kill_block_super+0x79/0xd0 fs/super.c:1428 deactivate_locked_super+0xa7/0xf0 fs/super.c:332 cleanup_mnt+0x494/0x520 fs/namespace.c:1186 task_work_run+0x243/0x300 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x664/0x2070 kernel/exit.c:820 do_group_exit+0x1fd/0x2b0 kernel/exit.c:950 __do_sys_exit_group kernel/exit.c:961 [inline] __se_sys_exit_group kernel/exit.c:959 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:959 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] JFS_IP(ipimap)->i_imap is not setting to NULL after free in diUnmount. If jfs_remount() free JFS_IP(ipimap)->i_imap but then failed at diMount(). JFS_IP(ipimap)->i_imap will be freed once again. Fix this problem by setting JFS_IP(ipimap)->i_imap to NULL after free.

PUBLISHED Reserved 2025-10-04 | Published 2025-10-04 | Updated 2025-10-04 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before c3c0f0ddd851b3fa3e9d3450bbcd561f4f850469
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 114ea3cb13ab25f7178cb60283adb93d2f96dad7
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 5873df0195124be2f357de11bfd473ead4f90ed8
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 756747d4b439e3e1159282ae89f17eefebbe9b25
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before ef7311101ca43dd73b45bca7a30ac72d9535ff87
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 4de3a603010e0ca334487de24c6aab0777b7f808
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 88484bde6f12126616b38e43b6c00edcd941f615
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 6e2bda2c192d0244b5a78b787ef20aa10cb319b7
affected

Default status
affected

4.14.326
unaffected

4.19.295
unaffected

5.4.257
unaffected

5.10.197
unaffected

5.15.133
unaffected

6.1.55
unaffected

6.5.5
unaffected

6.6
unaffected

References

git.kernel.org/...c/c3c0f0ddd851b3fa3e9d3450bbcd561f4f850469

git.kernel.org/...c/114ea3cb13ab25f7178cb60283adb93d2f96dad7

git.kernel.org/...c/5873df0195124be2f357de11bfd473ead4f90ed8

git.kernel.org/...c/756747d4b439e3e1159282ae89f17eefebbe9b25

git.kernel.org/...c/ef7311101ca43dd73b45bca7a30ac72d9535ff87

git.kernel.org/...c/4de3a603010e0ca334487de24c6aab0777b7f808

git.kernel.org/...c/88484bde6f12126616b38e43b6c00edcd941f615

git.kernel.org/...c/6e2bda2c192d0244b5a78b787ef20aa10cb319b7

cve.org (CVE-2023-53616)

nvd.nist.gov (CVE-2023-53616)

Download JSON