exfat: fix double free in delayed_free

namjaejeon · namjaejeon · commit 1f3d9724e16d · 2025-05-26T20:25:23.000+09:00
The double free could happen in the following path.

exfat_create_upcase_table()
        exfat_create_upcase_table() : return error
        exfat_free_upcase_table() : free -&gt;vol_utbl
        exfat_load_default_upcase_table : return error
     exfat_kill_sb()
           delayed_free()
                  exfat_free_upcase_table() &lt;--------- double free
This patch set -&gt;vol_util as NULL after freeing it.

Reported-by: Jianzhou Zhao &lt;xnxc22xnxc22@qq.com&gt;
Signed-off-by: Namjae Jeon &lt;linkinjeon@kernel.org&gt;
diff --git a/fs/exfat/nls.c b/fs/exfat/nls.c
@@ -801,4 +801,5 @@ int exfat_create_upcase_table(struct super_block *sb)
 void exfat_free_upcase_table(struct exfat_sb_info *sbi)
 {
 	kvfree(sbi->vol_utbl);
+	sbi->vol_utbl = NULL;
 }

Original file line number	Diff line number	Diff line change
`@@ -801,4 +801,5 @@ int exfat_create_upcase_table(struct super_block *sb)`
`801`	`801`	`void exfat_free_upcase_table(struct exfat_sb_info *sbi)`
`802`	`802`	`{`
`803`	`803`	`kvfree(sbi->vol_utbl);`
	`804`	`+ sbi->vol_utbl = NULL;`
`804`	`805`	`}`