Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info_sub_group() error path When kobject_init_and_add() fails, the call chain is: create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group) Then control returns to create_space_info_sub_group(), where: btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group) Thus, sub_group is freed twice. Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup.
Product status
0bd151ce4200ca847990e05cca29a76456982ca5 (git) before d2a675f2e238ec96c8e91e2718c1f910c9c8fb21
190d5a7c4fe42b8c9aa46e3336389e7cb10395bb (git) before 14b22be1dd844383eb03af9b1ee3b6b25d32aeaf
f92ee31e031c7819126d2febdda0c3e91f5d2eb9 (git) before dfd05a16b5c9d1d98b47905f37f2fccda52173d1
f92ee31e031c7819126d2febdda0c3e91f5d2eb9 (git) before 259af6857a1b4f1e9ef8b780353f9d11c26a22bd
f92ee31e031c7819126d2febdda0c3e91f5d2eb9 (git) before a7449edf96143f192606ec8647e3167e1ecbd728
64c7ddda83acfbaa0efb381a1928ce908c584607 (git)
6.6.122 (semver) before 6.6.141
6.12.67 (semver) before 6.12.90
6.1.162 (semver) before 6.2
6.16
Any version before 6.16
6.6.141 (semver)
6.12.90 (semver)
6.18.32 (semver)
7.0.7 (semver)
7.1-rc1 (original_commit_for_fix)
References
git.kernel.org/...c/d2a675f2e238ec96c8e91e2718c1f910c9c8fb21
git.kernel.org/...c/14b22be1dd844383eb03af9b1ee3b6b25d32aeaf
git.kernel.org/...c/dfd05a16b5c9d1d98b47905f37f2fccda52173d1
git.kernel.org/...c/259af6857a1b4f1e9ef8b780353f9d11c26a22bd
git.kernel.org/...c/a7449edf96143f192606ec8647e3167e1ecbd728