CVE-2022-50755

In the Linux kernel, the following vulnerability has been resolved:

udf: Avoid double brelse() in udf_rename()

syzbot reported a warning like below [1]:

VFS: brelse: Trying to free free buffer WARNING: CPU: 2 PID: 7301 at fs/buffer.c:1145 __brelse+0x67/0xa0 ... Call Trace: <TASK> invalidatebhlru+0x99/0x150 smpcallfunctionmanycond+0xe2a/0x10c0 ? genericremapfilerangeprep+0x50/0x50 ? __brelse+0xa0/0xa0 ? __mutexlock+0x21c/0x12d0 ? smpcalloncpu+0x250/0x250 ? rcu_readlockschedheld+0xb/0x60 ? lockrelease+0x587/0x810 ? __brelse+0xa0/0xa0 ? genericremapfile_rangeprep+0x50/0x50 oneachcpucondmask+0x3c/0x80 blkdevflushmapping+0x13a/0x2f0 blkdevputwhole+0xd3/0xf0 blkdevput+0x222/0x760 deactivatelockedsuper+0x96/0x160 deactivatesuper+0xda/0x100 cleanupmnt+0x222/0x3d0 taskworkrun+0x149/0x240 ? taskworkcancel+0x30/0x30 doexit+0xb29/0x2a40 ? reacquireheldlocks+0x4a0/0x4a0 ? dorawspinlock+0x12a/0x2b0 ? mmupdatenextowner+0x7c0/0x7c0 ? rwlockbug.part.0+0x90/0x90 ? zapotherthreads+0x234/0x2d0 dogroupexit+0xd0/0x2a0 _x64sysexitgroup+0x3a/0x50 dosyscall64+0x34/0xb0 entrySYSCALL64afterhwframe+0x63/0xcd

The cause of the issue is that brelse() is called on both ofibh.sbh and ofibh.ebh by udffindentry() when it returns NULL. However, brelse() is called by udfrename(), too. So, bcount on buffer_head becomes unbalanced.

This patch fixes the issue by not calling brelse() by udfrename() when udffind_entry() returns NULL.