CVE-2022-50620

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to invalidate dcc->f2fsissuediscard in error path

Syzbot reports a NULL pointer dereference issue as below:

__refcount_add include/linux/refcount.h:193 [inline] __refcountinc include/linux/refcount.h:250 [inline] refcountinc include/linux/refcount.h:267 [inline] gettaskstruct include/linux/sched/task.h:110 [inline] kthreadstop+0x34/0x1c0 kernel/kthread.c:703 f2fsstopdiscardthread+0x3c/0x5c fs/f2fs/segment.c:1638 killf2fssuper+0x5c/0x194 fs/f2fs/super.c:4522 deactivatelockedsuper+0x70/0xe8 fs/super.c:332 deactivatesuper+0xd0/0xd4 fs/super.c:363 cleanupmnt+0x1f8/0x234 fs/namespace.c:1186 __cleanupmnt+0x20/0x30 fs/namespace.c:1193 taskworkrun+0xc4/0x14c kernel/taskwork.c:177 exittaskwork include/linux/taskwork.h:38 [inline] doexit+0x26c/0xbe0 kernel/exit.c:795 dogroupexit+0x60/0xe8 kernel/exit.c:925 __dosysexit_group kernel/exit.c:936 [inline] __sesysexit_group kernel/exit.c:934 [inline] __wakeupparent+0x0/0x40 kernel/exit.c:934 __invokesyscall arch/arm64/kernel/syscall.c:38 [inline] invokesyscall arch/arm64/kernel/syscall.c:52 [inline] el0svccommon+0x138/0x220 arch/arm64/kernel/syscall.c:142 doel0svc+0x48/0x164 arch/arm64/kernel/syscall.c:206 el0svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636 el0t64synchandler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654 el0t64sync+0x18c/0x190 arch/arm64/kernel/entry.S:581

The root cause of this issue is in error path of f2fsstartdiscardthread(), it missed to invalidate dcc->f2fsissuediscard, later kthreadstop() may access invalid pointer.