In the Linux kernel, the following vulnerability has been resolved:

fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()

Syzkaller reported the following issue:

BUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline] BUG: KASAN: double-free in __kmemcachefree+0x71/0x110 mm/slub.c:3800 Free of addr ffff888086408000 by task syz-executor.4/12750 [...] Call Trace: <TASK> [...] kasanreportinvalid_free+0xac/0xd0 mm/kasan/report.c:482 ____kasanslabfree+0xfb/0x120 kasanslabfree include/linux/kasan.h:177 [inline] slabfreehook mm/slub.c:1781 [inline] slabfreefreelisthook+0x12e/0x1a0 mm/slub.c:1807 slabfree mm/slub.c:3787 [inline] __kmemcachefree+0x71/0x110 mm/slub.c:3800 dbUnmount+0xf4/0x110 fs/jfs/jfsdmap.c:264 jfsumount+0x248/0x3b0 fs/jfs/jfsumount.c:87 jfsputsuper+0x86/0x190 fs/jfs/super.c:194 genericshutdownsuper+0x130/0x310 fs/super.c:492 killblocksuper+0x79/0xd0 fs/super.c:1386 deactivatelockedsuper+0xa7/0xf0 fs/super.c:332 cleanupmnt+0x494/0x520 fs/namespace.c:1291 taskworkrun+0x243/0x300 kernel/taskwork.c:179 resumeusermodework include/linux/resumeusermode.h:49 [inline] exittousermodeloop+0x124/0x150 kernel/entry/common.c:171 exittousermodeprepare+0xb2/0x140 kernel/entry/common.c:203 _syscallexittousermodework kernel/entry/common.c:285 [inline] syscallexittousermode+0x26/0x60 kernel/entry/common.c:296 dosyscall64+0x49/0xb0 arch/x86/entry/common.c:86 entrySYSCALL64afterhwframe+0x63/0xcd [...] </TASK>

Allocated by task 13352: kasansavestack mm/kasan/common.c:45 [inline] kasansettrack+0x3d/0x60 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:371 [inline] __kasankmalloc+0x97/0xb0 mm/kasan/common.c:380 kmalloc include/linux/slab.h:580 [inline] dbMount+0x54/0x980 fs/jfs/jfsdmap.c:164 jfsmount+0x1dd/0x830 fs/jfs/jfsmount.c:121 jfs_fillsuper+0x590/0xc50 fs/jfs/super.c:556 mountbdev+0x26c/0x3a0 fs/super.c:1359 legacygettree+0xea/0x180 fs/fscontext.c:610 vfsgettree+0x88/0x270 fs/super.c:1489 donewmount+0x289/0xad0 fs/namespace.c:3145 domount fs/namespace.c:3488 [inline] __dosysmount fs/namespace.c:3697 [inline] __sesysmount+0x2d3/0x3c0 fs/namespace.c:3674 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3d/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd

Freed by task 13352: kasansavestack mm/kasan/common.c:45 [inline] kasansettrack+0x3d/0x60 mm/kasan/common.c:52 kasansavefree_info+0x27/0x40 mm/kasan/generic.c:518 ____kasanslabfree+0xd6/0x120 mm/kasan/common.c:236 kasanslabfree include/linux/kasan.h:177 [inline] slabfreehook mm/slub.c:1781 [inline] slabfreefreelisthook+0x12e/0x1a0 mm/slub.c:1807 slabfree mm/slub.c:3787 [inline] __kmemcachefree+0x71/0x110 mm/slub.c:3800 dbUnmount+0xf4/0x110 fs/jfs/jfsdmap.c:264 jfsmountrw+0x545/0x740 fs/jfs/jfsmount.c:247 jfsremount+0x3db/0x710 fs/jfs/super.c:454 reconfiguresuper+0x3bc/0x7b0 fs/super.c:935 vfsfsconfiglocked fs/fsopen.c:254 [inline] __dosysfsconfig fs/fsopen.c:439 [inline] __sesysfsconfig+0xad5/0x1060 fs/fsopen.c:314 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3d/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd [...]

JFSSBI(ipbmap->isb)->bmap wasn't set to NULL after kfree() in dbUnmount().

Syzkaller uses faultinject to reproduce this KASAN double-free warning. The issue is triggered if either diMount() or dbMount() fail in jfsremount(), since diUnmount() or dbUnmount() already happened in such a case - they will do double-free on next execution: jfsumount or jfs_remount.

Tested on both upstream and jfs-next by syzkaller.