ghsa-v852-w8jm-hg43
Vulnerability from github
Published
2025-10-04 18:31
Modified
2025-10-04 18:31
Details

In the Linux kernel, the following vulnerability has been resolved:

jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount

syzbot found an invalid-free in diUnmount:

BUG: KASAN: double-free in slab_free mm/slub.c:3661 [inline] BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3674 Free of addr ffff88806f410000 by task syz-executor131/3632

CPU: 0 PID: 3632 Comm: syz-executor131 Not tainted 6.1.0-rc7-syzkaller-00012-gca57f02295f1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 print_address_description+0x74/0x340 mm/kasan/report.c:284 print_report+0x107/0x1f0 mm/kasan/report.c:395 kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:460 _kasanslab_free+0xfb/0x120 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1724 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1750 slab_free mm/slub.c:3661 [inline] kmem_cache_free+0x71/0x110 mm/slub.c:3674 diUnmount+0xef/0x100 fs/jfs/jfs_imap.c:195 jfs_umount+0x108/0x370 fs/jfs/jfs_umount.c:63 jfs_put_super+0x86/0x190 fs/jfs/super.c:194 generic_shutdown_super+0x130/0x310 fs/super.c:492 kill_block_super+0x79/0xd0 fs/super.c:1428 deactivate_locked_super+0xa7/0xf0 fs/super.c:332 cleanup_mnt+0x494/0x520 fs/namespace.c:1186 task_work_run+0x243/0x300 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x664/0x2070 kernel/exit.c:820 do_group_exit+0x1fd/0x2b0 kernel/exit.c:950 __do_sys_exit_group kernel/exit.c:961 [inline] __se_sys_exit_group kernel/exit.c:959 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:959 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...]

JFS_IP(ipimap)->i_imap is not setting to NULL after free in diUnmount. If jfs_remount() free JFS_IP(ipimap)->i_imap but then failed at diMount(). JFS_IP(ipimap)->i_imap will be freed once again. Fix this problem by setting JFS_IP(ipimap)->i_imap to NULL after free.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-53616"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-04T16:15:58Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix invalid free of JFS_IP(ipimap)-\u003ei_imap in diUnmount\n\nsyzbot found an invalid-free in diUnmount:\n\nBUG: KASAN: double-free in slab_free mm/slub.c:3661 [inline]\nBUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3674\nFree of addr ffff88806f410000 by task syz-executor131/3632\n\n CPU: 0 PID: 3632 Comm: syz-executor131 Not tainted 6.1.0-rc7-syzkaller-00012-gca57f02295f1 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\n Call Trace:\n  \u003cTASK\u003e\n  __dump_stack lib/dump_stack.c:88 [inline]\n  dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\n  print_address_description+0x74/0x340 mm/kasan/report.c:284\n  print_report+0x107/0x1f0 mm/kasan/report.c:395\n  kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:460\n  ____kasan_slab_free+0xfb/0x120\n  kasan_slab_free include/linux/kasan.h:177 [inline]\n  slab_free_hook mm/slub.c:1724 [inline]\n  slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1750\n  slab_free mm/slub.c:3661 [inline]\n  __kmem_cache_free+0x71/0x110 mm/slub.c:3674\n  diUnmount+0xef/0x100 fs/jfs/jfs_imap.c:195\n  jfs_umount+0x108/0x370 fs/jfs/jfs_umount.c:63\n  jfs_put_super+0x86/0x190 fs/jfs/super.c:194\n  generic_shutdown_super+0x130/0x310 fs/super.c:492\n  kill_block_super+0x79/0xd0 fs/super.c:1428\n  deactivate_locked_super+0xa7/0xf0 fs/super.c:332\n  cleanup_mnt+0x494/0x520 fs/namespace.c:1186\n  task_work_run+0x243/0x300 kernel/task_work.c:179\n  exit_task_work include/linux/task_work.h:38 [inline]\n  do_exit+0x664/0x2070 kernel/exit.c:820\n  do_group_exit+0x1fd/0x2b0 kernel/exit.c:950\n  __do_sys_exit_group kernel/exit.c:961 [inline]\n  __se_sys_exit_group kernel/exit.c:959 [inline]\n  __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:959\n  do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n  do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[...]\n\nJFS_IP(ipimap)-\u003ei_imap is not setting to NULL after free in diUnmount.\nIf jfs_remount() free JFS_IP(ipimap)-\u003ei_imap but then failed at diMount().\nJFS_IP(ipimap)-\u003ei_imap will be freed once again.\nFix this problem by setting JFS_IP(ipimap)-\u003ei_imap to NULL after free.",
  "id": "GHSA-v852-w8jm-hg43",
  "modified": "2025-10-04T18:31:16Z",
  "published": "2025-10-04T18:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53616"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/114ea3cb13ab25f7178cb60283adb93d2f96dad7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4de3a603010e0ca334487de24c6aab0777b7f808"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5873df0195124be2f357de11bfd473ead4f90ed8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6e2bda2c192d0244b5a78b787ef20aa10cb319b7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/756747d4b439e3e1159282ae89f17eefebbe9b25"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/88484bde6f12126616b38e43b6c00edcd941f615"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c3c0f0ddd851b3fa3e9d3450bbcd561f4f850469"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ef7311101ca43dd73b45bca7a30ac72d9535ff87"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.