In the Linux kernel, the following vulnerability has been resolved:
ext4: fix double-free of blocks due to wrong extents moved_len
In ext4moveextents(), movedlen is only updated when all moves are successfully executed, and only discards originode and donorinode preallocations when movedlen is not zero. When the loop fails to exit after successfully moving some extents, moved_len is not updated and remains at 0, so it does not discard the preallocations.
If the moved extents overlap with the preallocated extents, the overlapped extents are freed twice in ext4mbreleaseinodepa() and ext4processfreeddata() (as described in commit 94d7c16cbbbd ("ext4: Fix double-free of blocks with EXT4IOCMOVEEXT")), and bbfree is incremented twice. Hence when trim is executed, a zero-division bug is triggered in mbupdateavgfragmentsize() because bbfree is not zero and bb_fragments is zero.
Therefore, update move_len after each extent move to avoid the issue.