Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info() error path When kobject_init_and_add() fails, the call chain is: create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info) Then control returns to create_space_info(): btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info) This causes a double free. Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.
Product status
20e8f2de3688082eeafeb93c8900485b7542457e (git) before ae6d6e31ceb72b7697c28a528e4923c08e3c2ef5
58208907c4044a764dbd8896026283905da6d9be (git) before c2670ec4aa49ca226bce9776601e0da37502be07
bb4fa4c0b54aae25e55faeda7f78d0c11b8cd618 (git) before f414b3abbba59ef379a2b3c31f2bdd9358ed5e53
6cb008f1bb23e023dfe615cca5df14570dfc8da5 (git) before 9a060970fd7b5e1c561e4ce73cb9949e4269a738
a11224a016d6d1d46a4d9b6573244448a80d4d7f (git) before dd6ade0fdd59218d71a981ae7c937a304e49209c
a11224a016d6d1d46a4d9b6573244448a80d4d7f (git) before 3f487be81292702a59ea9dbc4088b3360a50e837
6.1.162 (semver) before 6.1.175
6.6.122 (semver) before 6.6.140
6.12.67 (semver) before 6.12.88
6.18.7 (semver) before 6.18.30
6.19
Any version before 6.19
6.1.175 (semver)
6.6.140 (semver)
6.12.88 (semver)
6.18.30 (semver)
7.0.7 (semver)
7.1-rc1 (original_commit_for_fix)
References
git.kernel.org/...c/ae6d6e31ceb72b7697c28a528e4923c08e3c2ef5
git.kernel.org/...c/c2670ec4aa49ca226bce9776601e0da37502be07
git.kernel.org/...c/f414b3abbba59ef379a2b3c31f2bdd9358ed5e53
git.kernel.org/...c/9a060970fd7b5e1c561e4ce73cb9949e4269a738
git.kernel.org/...c/dd6ade0fdd59218d71a981ae7c937a304e49209c
git.kernel.org/...c/3f487be81292702a59ea9dbc4088b3360a50e837