exfat: fix double free in delayed_free

CIQ Kernel Automation · roxanan1996 · commit 6790afe4481c · 2026-03-13T14:54:20.000+01:00
jira VULN-72068 cve CVE-2025-38206 commit-author Namjae Jeon <linkinjeon@kernel.org> commit 1f3d972 The double free could happen in the following path. exfat_create_upcase_table() exfat_create_upcase_table() : return error exfat_free_upcase_table() : free ->vol_utbl exfat_load_default_upcase_table : return error exfat_kill_sb() delayed_free() exfat_free_upcase_table() <--------- double free This patch set ->vol_util as NULL after freeing it. Reported-by: Jianzhou Zhao <xnxc22xnxc22@qq.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> (cherry picked from commit 1f3d972) Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
diff --git a/fs/exfat/nls.c b/fs/exfat/nls.c
@@ -804,4 +804,5 @@ int exfat_create_upcase_table(struct super_block *sb)
 void exfat_free_upcase_table(struct exfat_sb_info *sbi)
 {
 	kvfree(sbi->vol_utbl);
+	sbi->vol_utbl = NULL;
 }

Original file line number	Diff line number	Diff line change
`@@ -804,4 +804,5 @@ int exfat_create_upcase_table(struct super_block *sb)`
`804`	`804`	`void exfat_free_upcase_table(struct exfat_sb_info *sbi)`
`805`	`805`	`{`
`806`	`806`	`kvfree(sbi->vol_utbl);`
	`807`	`+ sbi->vol_utbl = NULL;`
`807`	`808`	`}`