{"id":"CVE-2021-47638","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: rename_whiteout: Fix double free for whiteout_ui-\u003edata\n\n'whiteout_ui-\u003edata' will be freed twice if space budget fail for\nrename whiteout operation as following process:\n\nrename_whiteout\n  dev = kmalloc\n  whiteout_ui-\u003edata = dev\n  kfree(whiteout_ui-\u003edata)  // Free first time\n  iput(whiteout)\n    ubifs_free_inode\n      kfree(ui-\u003edata)\t    // Double free!\n\nKASAN reports:\n==================================================================\nBUG: KASAN: double-free or invalid-free in ubifs_free_inode+0x4f/0x70\nCall Trace:\n  kfree+0x117/0x490\n  ubifs_free_inode+0x4f/0x70 [ubifs]\n  i_callback+0x30/0x60\n  rcu_do_batch+0x366/0xac0\n  __do_softirq+0x133/0x57f\n\nAllocated by task 1506:\n  kmem_cache_alloc_trace+0x3c2/0x7a0\n  do_rename+0x9b7/0x1150 [ubifs]\n  ubifs_rename+0x106/0x1f0 [ubifs]\n  do_syscall_64+0x35/0x80\n\nFreed by task 1506:\n  kfree+0x117/0x490\n  do_rename.cold+0x53/0x8a [ubifs]\n  ubifs_rename+0x106/0x1f0 [ubifs]\n  do_syscall_64+0x35/0x80\n\nThe buggy address belongs to the object at ffff88810238bed8 which\nbelongs to the cache kmalloc-8 of size 8\n==================================================================\n\nLet ubifs_free_inode() free 'whiteout_ui-\u003edata'. BTW, delete unused\nassignment 'whiteout_ui-\u003edata_len = 0', process 'ubifs_evict_inode()\n-\u003e ubifs_jnl_delete_inode() -\u003e ubifs_jnl_write_inode()' doesn't need it\n(because 'inc_nlink(whiteout)' won't be excuted by 'goto out_release',\n and the nlink of whiteout inode is 0).","modified":"2026-03-15T22:43:16.490282Z","published":"2025-02-26T06:37:05.580Z","related":["SUSE-SU-2025:1027-1","SUSE-SU-2025:1176-1","SUSE-SU-2025:1183-1","SUSE-SU-2025:1241-1"],"references":[{"type":"FIX","url":"https://git.kernel.org/stable/c/b9a937f096e608b3368c1abc920d4d640ba2c94f"},{"type":"FIX","url":"https://git.kernel.org/stable/c/14276d38c89a170363e90b6ac0a53c3cf61b87fc"},{"type":"FIX","url":"https://git.kernel.org/stable/c/2ad07009c459e56ebdcc089d850d664660fdb742"},{"type":"FIX","url":"https://git.kernel.org/stable/c/2b3236ecf96db7af5836e1366ce39ace8ce832fa"},{"type":"FIX","url":"https://git.kernel.org/stable/c/40a8f0d5e7b3999f096570edab71c345da812e3e"},{"type":"FIX","url":"https://git.kernel.org/stable/c/6d7a158a7363c1f6604aa47ae1a280a5c65123dd"},{"type":"FIX","url":"https://git.kernel.org/stable/c/8b3c7be16f3f4dfd6e15ac651484e59d3fa36274"},{"type":"FIX","url":"https://git.kernel.org/stable/c/a90e2dbe66d2647ff95a0442ad2e86482d977fd8"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"4.9"},{"fixed":"4.14.276"}]},{"events":[{"introduced":"4.15"},{"fixed":"4.19.238"}]},{"events":[{"introduced":"4.20"},{"fixed":"5.4.189"}]},{"events":[{"introduced":"5.5"},{"fixed":"5.10.110"}]},{"events":[{"introduced":"5.11"},{"fixed":"5.15.33"}]},{"events":[{"introduced":"5.16"},{"fixed":"5.16.19"}]},{"events":[{"introduced":"5.17"},{"fixed":"5.17.2"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47638.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}