From: Namjae Jeon <linkinjeon@kernel.org>
Date: Tue, 1 Apr 2025 04:50:39 +0000 (+0900)
Subject: exfat: fix double free in delayed_free
X-Git-Tag: v5.15.186~138
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=66e84439ec2af776ce749e8540f8fdd257774152;p=thirdparty%2Fkernel%2Fstable.git

exfat: fix double free in delayed_free

[ Upstream commit 1f3d9724e16d62c7d42c67d6613b8512f2887c22 ]

The double free could happen in the following path.

exfat_create_upcase_table()
        exfat_create_upcase_table() : return error
        exfat_free_upcase_table() : free ->vol_utbl
        exfat_load_default_upcase_table : return error
     exfat_kill_sb()
           delayed_free()
                  exfat_free_upcase_table() <--------- double free
This patch set ->vol_util as NULL after freeing it.

Reported-by: Jianzhou Zhao <xnxc22xnxc22@qq.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/fs/exfat/nls.c b/fs/exfat/nls.c
index 314d5407a1be5..a75d5fb2404c7 100644
--- a/fs/exfat/nls.c
+++ b/fs/exfat/nls.c
@@ -804,4 +804,5 @@ load_default:
 void exfat_free_upcase_table(struct exfat_sb_info *sbi)
 {
 	kvfree(sbi->vol_utbl);
+	sbi->vol_utbl = NULL;
 }