DEBIAN-CVE-2022-50751

In the Linux kernel, the following vulnerability has been resolved: configfs: fix possible memory leak in configfscreatedir() kmemleak reported memory leaks in configfscreatedir(): unreferenced object 0xffff888009f6af00 (size 192): comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s) backtrace: kmemcachealloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273) newfragment (./include/linux/slab.h:600 fs/configfs/dir.c:163) configfsregistersubsystem (fs/configfs/dir.c:1857) basicwrite (drivers/hwtracing/stm/pbasic.c:14) stmpbasic dooneinitcall (init/main.c:1296) doinitmodule (kernel/module/main.c:2455) ... unreferenced object 0xffff888003ba7180 (size 96): comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s) backtrace: kmemcachealloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273) configfsnewdirent (./include/linux/slab.h:723 fs/configfs/dir.c:194) configfsmakedirent (fs/configfs/dir.c:248) configfscreatedir (fs/configfs/dir.c:296) configfsattachgroup.isra.28 (fs/configfs/dir.c:816 fs/configfs/dir.c:852) configfsregistersubsystem (fs/configfs/dir.c:1881) basicwrite (drivers/hwtracing/stm/pbasic.c:14) stmpbasic dooneinitcall (init/main.c:1296) doinitmodule (kernel/module/main.c:2455) ... This is because the refcount is not correct in configfsmakedirent(). For normal stage, the refcount is changing as: configfsregistersubsystem() configfscreatedir() configfsmakedirent() configfsnewdirent() # set scount = 1 dentry->dfsdata = configfsget(sd); # scount = 2 ... configfsunregistersubsystem() configfsremovedir() removedir() configfsremovedirent() # scount = 1 dput() ... *dentryunlinkinode()* configfsdiput() # scount = 0, release However, if we failed in configfscreate(): configfsregistersubsystem() configfscreatedir() configfsmakedirent() # scount = 2 ... configfscreate() # fail ->outremove: configfsremovedirent(dentry) configfsput(sd) # scount = 1 return PTRERR(inode); There is no inode in the error path, so the configfsdiput() is lost and makes sd and fragment memory leaked. To fix this, when we failed in configfscreate(), manually call configfs_put(sd) to keep the refcount correct.