Home

Description

In the Linux kernel, the following vulnerability has been resolved: configfs: fix possible memory leak in configfs_create_dir() kmemleak reported memory leaks in configfs_create_dir(): unreferenced object 0xffff888009f6af00 (size 192): comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s) backtrace: kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273) new_fragment (./include/linux/slab.h:600 fs/configfs/dir.c:163) configfs_register_subsystem (fs/configfs/dir.c:1857) basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic do_one_initcall (init/main.c:1296) do_init_module (kernel/module/main.c:2455) ... unreferenced object 0xffff888003ba7180 (size 96): comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s) backtrace: kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273) configfs_new_dirent (./include/linux/slab.h:723 fs/configfs/dir.c:194) configfs_make_dirent (fs/configfs/dir.c:248) configfs_create_dir (fs/configfs/dir.c:296) configfs_attach_group.isra.28 (fs/configfs/dir.c:816 fs/configfs/dir.c:852) configfs_register_subsystem (fs/configfs/dir.c:1881) basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic do_one_initcall (init/main.c:1296) do_init_module (kernel/module/main.c:2455) ... This is because the refcount is not correct in configfs_make_dirent(). For normal stage, the refcount is changing as: configfs_register_subsystem() configfs_create_dir() configfs_make_dirent() configfs_new_dirent() # set s_count = 1 dentry->d_fsdata = configfs_get(sd); # s_count = 2 ... configfs_unregister_subsystem() configfs_remove_dir() remove_dir() configfs_remove_dirent() # s_count = 1 dput() ... *dentry_unlink_inode()* configfs_d_iput() # s_count = 0, release However, if we failed in configfs_create(): configfs_register_subsystem() configfs_create_dir() configfs_make_dirent() # s_count = 2 ... configfs_create() # fail ->out_remove: configfs_remove_dirent(dentry) configfs_put(sd) # s_count = 1 return PTR_ERR(inode); There is no inode in the error path, so the configfs_d_iput() is lost and makes sd and fragment memory leaked. To fix this, when we failed in configfs_create(), manually call configfs_put(sd) to keep the refcount correct.

PUBLISHED Reserved 2025-12-24 | Published 2025-12-24 | Updated 2025-12-24 | Assigner Linux

Product status

Default status
unaffected

7063fbf2261194f72ee75afca67b3b38b554b5fa (git) before 90c38f57a821499391526b15cc944c265bd24e48
affected

7063fbf2261194f72ee75afca67b3b38b554b5fa (git) before 74ac7c9ee2d486c501e7864c903f5098fc477acd
affected

7063fbf2261194f72ee75afca67b3b38b554b5fa (git) before 07f82dca112262b169bec0001378126439cab776
affected

7063fbf2261194f72ee75afca67b3b38b554b5fa (git) before 8bc77754224a2c8581727ffe2e958119b4e27c8f
affected

7063fbf2261194f72ee75afca67b3b38b554b5fa (git) before c72eb6e6e49a71f7598740786568fafdd013a227
affected

7063fbf2261194f72ee75afca67b3b38b554b5fa (git) before c65234b283a65cfbfc94619655e820a5e55199eb
affected

Default status
affected

2.6.16
affected

Any version before 2.6.16
unaffected

5.4.229 (semver)
unaffected

5.10.163 (semver)
unaffected

5.15.86 (semver)
unaffected

6.0.16 (semver)
unaffected

6.1.2 (semver)
unaffected

6.2 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/90c38f57a821499391526b15cc944c265bd24e48

git.kernel.org/...c/74ac7c9ee2d486c501e7864c903f5098fc477acd

git.kernel.org/...c/07f82dca112262b169bec0001378126439cab776

git.kernel.org/...c/8bc77754224a2c8581727ffe2e958119b4e27c8f

git.kernel.org/...c/c72eb6e6e49a71f7598740786568fafdd013a227

git.kernel.org/...c/c65234b283a65cfbfc94619655e820a5e55199eb

cve.org (CVE-2022-50751)

nvd.nist.gov (CVE-2022-50751)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.