{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-54127","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-24T13:02:52.521Z","datePublished":"2025-12-24T13:06:45.380Z","dateUpdated":"2026-05-11T19:56:00.218Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T19:56:00.218Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()\n\nSyzkaller reported the following issue:\n==================================================================\nBUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline]\nBUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800\nFree of addr ffff888086408000 by task syz-executor.4/12750\n[...]\nCall Trace:\n <TASK>\n[...]\n kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482\n ____kasan_slab_free+0xfb/0x120\n kasan_slab_free include/linux/kasan.h:177 [inline]\n slab_free_hook mm/slub.c:1781 [inline]\n slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807\n slab_free mm/slub.c:3787 [inline]\n __kmem_cache_free+0x71/0x110 mm/slub.c:3800\n dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264\n jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87\n jfs_put_super+0x86/0x190 fs/jfs/super.c:194\n generic_shutdown_super+0x130/0x310 fs/super.c:492\n kill_block_super+0x79/0xd0 fs/super.c:1386\n deactivate_locked_super+0xa7/0xf0 fs/super.c:332\n cleanup_mnt+0x494/0x520 fs/namespace.c:1291\n task_work_run+0x243/0x300 kernel/task_work.c:179\n resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]\n exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171\n exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203\n __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]\n syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296\n do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[...]\n </TASK>\n\nAllocated by task 13352:\n kasan_save_stack mm/kasan/common.c:45 [inline]\n kasan_set_track+0x3d/0x60 mm/kasan/common.c:52\n ____kasan_kmalloc mm/kasan/common.c:371 [inline]\n __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380\n kmalloc include/linux/slab.h:580 [inline]\n dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164\n jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121\n jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556\n mount_bdev+0x26c/0x3a0 fs/super.c:1359\n legacy_get_tree+0xea/0x180 fs/fs_context.c:610\n vfs_get_tree+0x88/0x270 fs/super.c:1489\n do_new_mount+0x289/0xad0 fs/namespace.c:3145\n do_mount fs/namespace.c:3488 [inline]\n __do_sys_mount fs/namespace.c:3697 [inline]\n __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nFreed by task 13352:\n kasan_save_stack mm/kasan/common.c:45 [inline]\n kasan_set_track+0x3d/0x60 mm/kasan/common.c:52\n kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518\n ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236\n kasan_slab_free include/linux/kasan.h:177 [inline]\n slab_free_hook mm/slub.c:1781 [inline]\n slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807\n slab_free mm/slub.c:3787 [inline]\n __kmem_cache_free+0x71/0x110 mm/slub.c:3800\n dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264\n jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247\n jfs_remount+0x3db/0x710 fs/jfs/super.c:454\n reconfigure_super+0x3bc/0x7b0 fs/super.c:935\n vfs_fsconfig_locked fs/fsopen.c:254 [inline]\n __do_sys_fsconfig fs/fsopen.c:439 [inline]\n __se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[...]\n\nJFS_SBI(ipbmap->i_sb)->bmap wasn't set to NULL after kfree() in\ndbUnmount().\n\nSyzkaller uses faultinject to reproduce this KASAN double-free\nwarning. The issue is triggered if either diMount() or dbMount() fail\nin jfs_remount(), since diUnmount() or dbUnmount() already happened in\nsuch a case - they will do double-free on next execution: jfs_umount\nor jfs_remount.\n\nTested on both upstream and jfs-next by syzkaller."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/jfs/jfs_dmap.c"],"versions":[{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"798c5f6f98bc9045593d4b3a65c32f05d97bd0e6","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"aef6507e85475e30831c30405d785c7ed976ea4a","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"b12ccbfdf6539ef0157868f69fcae0b7f7a072b3","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"6f8b34458948ffca2fe90cd8c614e3fa2ebe0b27","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"aa5b019a3e0f7f54f4e5370c1af827f6b00fd26b","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"2f7a36448f51d08d3a83f1514abcca4b680bcd3c","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"f71c4bb3ec08dfcbd201350a6a0a914c4e6a9e3f","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"cade5397e5461295f3cb87880534b6a07cafa427","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/jfs/jfs_dmap.c"],"versions":[{"version":"2.6.12","status":"affected"},{"version":"0","lessThan":"2.6.12","status":"unaffected","versionType":"semver"},{"version":"4.14.326","lessThanOrEqual":"4.14.*","status":"unaffected","versionType":"semver"},{"version":"4.19.295","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.257","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.197","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.133","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.55","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.5.5","lessThanOrEqual":"6.5.*","status":"unaffected","versionType":"semver"},{"version":"6.6","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"4.14.326"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"4.19.295"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"5.4.257"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"5.10.197"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"5.15.133"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"6.1.55"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"6.5.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"6.6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/798c5f6f98bc9045593d4b3a65c32f05d97bd0e6"},{"url":"https://git.kernel.org/stable/c/aef6507e85475e30831c30405d785c7ed976ea4a"},{"url":"https://git.kernel.org/stable/c/b12ccbfdf6539ef0157868f69fcae0b7f7a072b3"},{"url":"https://git.kernel.org/stable/c/6f8b34458948ffca2fe90cd8c614e3fa2ebe0b27"},{"url":"https://git.kernel.org/stable/c/aa5b019a3e0f7f54f4e5370c1af827f6b00fd26b"},{"url":"https://git.kernel.org/stable/c/2f7a36448f51d08d3a83f1514abcca4b680bcd3c"},{"url":"https://git.kernel.org/stable/c/f71c4bb3ec08dfcbd201350a6a0a914c4e6a9e3f"},{"url":"https://git.kernel.org/stable/c/cade5397e5461295f3cb87880534b6a07cafa427"}],"title":"fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()","x_generator":{"engine":"bippy-1.2.0"}}}}