{"id":"CVE-2023-54127","summary":"fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()\n\nSyzkaller reported the following issue:\n==================================================================\nBUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline]\nBUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800\nFree of addr ffff888086408000 by task syz-executor.4/12750\n[...]\nCall Trace:\n \u003cTASK\u003e\n[...]\n kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482\n ____kasan_slab_free+0xfb/0x120\n kasan_slab_free include/linux/kasan.h:177 [inline]\n slab_free_hook mm/slub.c:1781 [inline]\n slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807\n slab_free mm/slub.c:3787 [inline]\n __kmem_cache_free+0x71/0x110 mm/slub.c:3800\n dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264\n jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87\n jfs_put_super+0x86/0x190 fs/jfs/super.c:194\n generic_shutdown_super+0x130/0x310 fs/super.c:492\n kill_block_super+0x79/0xd0 fs/super.c:1386\n deactivate_locked_super+0xa7/0xf0 fs/super.c:332\n cleanup_mnt+0x494/0x520 fs/namespace.c:1291\n task_work_run+0x243/0x300 kernel/task_work.c:179\n resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]\n exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171\n exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203\n __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]\n syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296\n do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[...]\n \u003c/TASK\u003e\n\nAllocated by task 13352:\n kasan_save_stack mm/kasan/common.c:45 [inline]\n kasan_set_track+0x3d/0x60 mm/kasan/common.c:52\n ____kasan_kmalloc mm/kasan/common.c:371 [inline]\n __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380\n kmalloc include/linux/slab.h:580 [inline]\n dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164\n jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121\n jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556\n mount_bdev+0x26c/0x3a0 fs/super.c:1359\n legacy_get_tree+0xea/0x180 fs/fs_context.c:610\n vfs_get_tree+0x88/0x270 fs/super.c:1489\n do_new_mount+0x289/0xad0 fs/namespace.c:3145\n do_mount fs/namespace.c:3488 [inline]\n __do_sys_mount fs/namespace.c:3697 [inline]\n __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nFreed by task 13352:\n kasan_save_stack mm/kasan/common.c:45 [inline]\n kasan_set_track+0x3d/0x60 mm/kasan/common.c:52\n kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518\n ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236\n kasan_slab_free include/linux/kasan.h:177 [inline]\n slab_free_hook mm/slub.c:1781 [inline]\n slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807\n slab_free mm/slub.c:3787 [inline]\n __kmem_cache_free+0x71/0x110 mm/slub.c:3800\n dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264\n jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247\n jfs_remount+0x3db/0x710 fs/jfs/super.c:454\n reconfigure_super+0x3bc/0x7b0 fs/super.c:935\n vfs_fsconfig_locked fs/fsopen.c:254 [inline]\n __do_sys_fsconfig fs/fsopen.c:439 [inline]\n __se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[...]\n\nJFS_SBI(ipbmap-\u003ei_sb)-\u003ebmap wasn't set to NULL after kfree() in\ndbUnmount().\n\nSyzkaller uses faultinject to reproduce this KASAN double-free\nwarning. The issue is triggered if either diMount() or dbMount() fail\nin jfs_remount(), since diUnmount() or dbUnmount() already happened in\nsuch a case - they will do double-free on next execution: jfs_umount\nor jfs_remount.\n\nTested on both upstream and jfs-next by syzkaller.","modified":"2026-03-31T17:29:49.685770Z","published":"2025-12-24T13:06:45.380Z","related":["SUSE-SU-2026:0263-1","SUSE-SU-2026:0278-1","SUSE-SU-2026:0281-1","SUSE-SU-2026:0293-1","SUSE-SU-2026:0315-1","SUSE-SU-2026:0317-1","SUSE-SU-2026:0411-1","SUSE-SU-2026:0617-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54127.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2f7a36448f51d08d3a83f1514abcca4b680bcd3c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6f8b34458948ffca2fe90cd8c614e3fa2ebe0b27"},{"type":"WEB","url":"https://git.kernel.org/stable/c/798c5f6f98bc9045593d4b3a65c32f05d97bd0e6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/aa5b019a3e0f7f54f4e5370c1af827f6b00fd26b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/aef6507e85475e30831c30405d785c7ed976ea4a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b12ccbfdf6539ef0157868f69fcae0b7f7a072b3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cade5397e5461295f3cb87880534b6a07cafa427"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f71c4bb3ec08dfcbd201350a6a0a914c4e6a9e3f"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/54xxx/CVE-2023-54127.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-54127"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2"},{"fixed":"798c5f6f98bc9045593d4b3a65c32f05d97bd0e6"},{"fixed":"aef6507e85475e30831c30405d785c7ed976ea4a"},{"fixed":"b12ccbfdf6539ef0157868f69fcae0b7f7a072b3"},{"fixed":"6f8b34458948ffca2fe90cd8c614e3fa2ebe0b27"},{"fixed":"aa5b019a3e0f7f54f4e5370c1af827f6b00fd26b"},{"fixed":"2f7a36448f51d08d3a83f1514abcca4b680bcd3c"},{"fixed":"f71c4bb3ec08dfcbd201350a6a0a914c4e6a9e3f"},{"fixed":"cade5397e5461295f3cb87880534b6a07cafa427"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54127.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.12"},{"fixed":"4.14.326"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.15.0"},{"fixed":"4.19.295"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.20.0"},{"fixed":"5.4.257"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.197"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.133"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.55"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.5.5"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-54127.json"}}],"schema_version":"1.7.5"}