In the Linux kernel, the following vulnerability has been resolved:
ocfs2: fix race between searching chunks and release journalhead from bufferhead
Encountered a race between ocfs2testbgbitallocatable() and jbd2journalputjournalhead() resulting in the below vmcore.
PID: 106879 TASK: ffff880244ba9c00 CPU: 2 COMMAND: "loop3" Call trace: panic oopsend nocontext _badareanosemaphore badareanosemaphore _dopagefault dopagefault pagefault [exception RIP: ocfs2blockgroupfindclearbits+316] ocfs2blockgroupfindclearbits [ocfs2] ocfs2clustergroupsearch [ocfs2] ocfs2searchchain [ocfs2] ocfs2claimsuballocbits [ocfs2] _ocfs2claimclusters [ocfs2] ocfs2claimclusters [ocfs2] ocfs2localallocslidewindow [ocfs2] ocfs2reservelocalallocbits [ocfs2] ocfs2reserveclusterswithlimit [ocfs2] ocfs2reserveclusters [ocfs2] ocfs2lockrefcountallocators [ocfs2] ocfs2makeclusterswritable [ocfs2] ocfs2replacecow [ocfs2] ocfs2refcountcow [ocfs2] ocfs2filewriteiter [ocfs2] lorwaio loopqueuework kthreadworkerfn kthread retfrom_fork
When ocfs2testbgbitallocatable() called bh2jh(bgbh), the bgbh->bprivate NULL as jbd2journalputjournalhead() raced and released the jounal head from the buffer head. Needed to take bit lock for the bit 'BHJournalHead' to fix this race.