In the Linux kernel, the following vulnerability has been resolved: ext4: fix double brelse() the buffer of the extents path In ext4exttrytomergeup(), set path[1].pbh to NULL after it has been released, otherwise it may be released twice. An example of what triggers this is as follows: split2 map split1 |--------|-------|--------| ext4extmapblocks ext4exthandleunwrittenextents ext4splitconvertextents // path->pdepth == 0 ext4splitextent // 1. do split1 ext4splitextentat |ext4extinsertextent | ext4extcreatenewleaf | ext4extgrowindepth | le16addcpu(&neh->ehdepth, 1) | ext4findextent | // return -ENOMEM |// get error and try zeroout |path = ext4findextent | path->pdepth = 1 |ext4exttrytomerge | ext4exttrytomergeup | path->pdepth = 0 | brelse(path[1].pbh) ---> not set to NULL here |// zeroout success // 2. update path ext4findextent // 3. do split2 ext4splitextentat ext4extinsertextent ext4extcreatenewleaf ext4extgrowindepth le16addcpu(&neh->ehdepth, 1) ext4findextent path[0].pbh = NULL; path->pdepth = 1 readextenttreeblock ---> return err // path[1].pbh is still the old value ext4freeextpath ext4extdroprefs // path->pdepth == 1 brelse(path[1].pbh) ---> brelse a buffer twice Finally got the following WARRNING when removing the buffer from lru: ============================================ VFS: brelse: Trying to free free buffer WARNING: CPU: 2 PID: 72 at fs/buffer.c:1241 brelse+0x58/0x90 CPU: 2 PID: 72 Comm: kworker/u19:1 Not tainted 6.9.0-dirty #716 RIP: 0010:brelse+0x58/0x90 Call Trace: <TASK> _findgetblock+0x6e7/0x810 bdevgetblk+0x2b/0x480 _ext4getinodeloc+0x48a/0x1240 ext4getinodeloc+0xb2/0x150 ext4reserveinodewrite+0xb7/0x230 _ext4markinodedirty+0x144/0x6a0 ext4extinsertextent+0x9c8/0x3230 ext4extmapblocks+0xf45/0x2dc0 ext4mapblocks+0x724/0x1700 ext4do_writepages+0x12d6/0x2a70 [...] ============================================