From: Namjae Jeon linkinjeon@kernel.org
[ Upstream commit 1f3d9724e16d62c7d42c67d6613b8512f2887c22 ]
The double free could happen in the following path.
exfat_create_upcase_table() exfat_create_upcase_table() : return error exfat_free_upcase_table() : free ->vol_utbl exfat_load_default_upcase_table : return error exfat_kill_sb() delayed_free() exfat_free_upcase_table() <--------- double free This patch set ->vol_util as NULL after freeing it.
Reported-by: Jianzhou Zhao xnxc22xnxc22@qq.com Signed-off-by: Namjae Jeon linkinjeon@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org ---
Based on my thorough analysis of the commit and examination of the kernel tree, here is my assessment: **YES** This commit should be backported to stable kernel trees. Here's my extensive analysis: ## Code Analysis **The Problem:** The commit fixes a classic double-free vulnerability in the exfat filesystem. Looking at the current kernel code, the vulnerability exists in this execution path: 1. `exfat_create_upcase_table()` calls `exfat_load_upcase_table()` which may fail 2. On failure (`ret && ret != -EIO`), it calls `exfat_free_upcase_table(sbi)` 3. Then it goes to `load_default:` and calls `exfat_load_default_upcase_table()` which may also fail 4. When the filesystem unmounts, `exfat_kill_sb()` → `delayed_free()` → `exfat_free_upcase_table(sbi)` is called again **The Current Vulnerable Code:** ```c void exfat_free_upcase_table(struct exfat_sb_info *sbi) { kvfree(sbi->vol_utbl); // No NULL assignment - vulnerable to double free } ``` **The Fix:** The patch adds `sbi->vol_utbl = NULL;` after the `kvfree()`, which prevents the double-free because `kvfree(NULL)` is safe. ## Backport Criteria Assessment **1. Bug Severity: HIGH** - This is a memory corruption vulnerability (double-free) - Double-free bugs can lead to heap corruption, crashes, and potentially security exploits - The bug affects the reliability and security of the exfat filesystem **2. Fix Quality: EXCELLENT** - The fix is minimal (just one line: `sbi->vol_utbl = NULL;`) - Extremely low risk of introducing regressions - Follows standard defensive programming practices - The fix is contained within a single function **3. Backport Suitability: PERFECT** - Small, isolated change that doesn't affect any APIs - No architectural changes or new features - The fix addresses the root cause directly - Compatible with all kernel versions that have the vulnerable code **4. Historical Context:** Looking at the similar commits provided: - **Similar Commit #2** (Status: YES): Also a memory leak fix in exfat with `Cc: stable@vger.kernel.org` - **Similar Commit #4** (Status: YES): Another memory corruption prevention fix in exfat - Both demonstrate that small, targeted memory management fixes in exfat are appropriate for stable backporting **5. Impact Assessment:** - **User Impact:** High - prevents filesystem crashes and potential data corruption - **Risk:** Very low - the change only affects error paths and adds defensive programming - **Complexity:** Minimal - single line change with clear semantics **6. RCU Context:** The commit a13d1a4de3b0 introduced the `delayed_free()` mechanism that made this double-free possible, making this fix essential for kernels with that change. ## Conclusion This commit represents exactly the type of fix that stable kernels need: a small, surgical fix for a potentially serious memory corruption bug with minimal risk of regression. The double-free vulnerability could lead to system instability and the fix is trivial to apply and verify. Given the similarities with other exfat memory management fixes that were successfully backported, this should definitely be included in stable kernel trees.
fs/exfat/nls.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/fs/exfat/nls.c b/fs/exfat/nls.c index 705710f93e2dd..0e05c6b5a2864 100644 --- a/fs/exfat/nls.c +++ b/fs/exfat/nls.c @@ -804,4 +804,5 @@ int exfat_create_upcase_table(struct super_block *sb) void exfat_free_upcase_table(struct exfat_sb_info *sbi) { kvfree(sbi->vol_utbl); + sbi->vol_utbl = NULL; }