Home

Description

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix leak of kobject name for sub-group space_info When create_space_info_sub_group() allocates elements of space_info->sub_group[], kobject_init_and_add() is called for each element via btrfs_sysfs_add_space_info_type(). However, when check_removing_space_info() frees these elements, it does not call btrfs_sysfs_remove_space_info() on them. As a result, kobject_put() is not called and the associated kobj->name objects are leaked. This memory leak is reproduced by running the blktests test case zbd/009 on kernels built with CONFIG_DEBUG_KMEMLEAK. The kmemleak feature reports the following error: unreferenced object 0xffff888112877d40 (size 16): comm "mount", pid 1244, jiffies 4294996972 hex dump (first 16 bytes): 64 61 74 61 2d 72 65 6c 6f 63 00 c4 c6 a7 cb 7f data-reloc...... backtrace (crc 53ffde4d): __kmalloc_node_track_caller_noprof+0x619/0x870 kstrdup+0x42/0xc0 kobject_set_name_vargs+0x44/0x110 kobject_init_and_add+0xcf/0x150 btrfs_sysfs_add_space_info_type+0xfc/0x210 [btrfs] create_space_info_sub_group.constprop.0+0xfb/0x1b0 [btrfs] create_space_info+0x211/0x320 [btrfs] btrfs_init_space_info+0x15a/0x1b0 [btrfs] open_ctree+0x33c7/0x4a50 [btrfs] btrfs_get_tree.cold+0x9f/0x1ee [btrfs] vfs_get_tree+0x87/0x2f0 vfs_cmd_create+0xbd/0x280 __do_sys_fsconfig+0x3df/0x990 do_syscall_64+0x136/0x1540 entry_SYSCALL_64_after_hwframe+0x76/0x7e To avoid the leak, call btrfs_sysfs_remove_space_info() instead of kfree() for the elements.

PUBLISHED Reserved 2026-03-09 | Published 2026-04-22 | Updated 2026-04-22 | Assigner Linux

Product status

Default status
unaffected

64c7ddda83acfbaa0efb381a1928ce908c584607 (git) before 416484f21a9d1280cf6daa7ebc10c79b59c46e48
affected

0bd151ce4200ca847990e05cca29a76456982ca5 (git) before 94054ffd311a1f76b7093ba8ebf50bdb0d28337c
affected

190d5a7c4fe42b8c9aa46e3336389e7cb10395bb (git) before 1737ddeafbb1304f41ec2eede4f7366082e7c96a
affected

f92ee31e031c7819126d2febdda0c3e91f5d2eb9 (git) before 3c844d01f9874a43004c82970d8da94f9aba8949
affected

f92ee31e031c7819126d2febdda0c3e91f5d2eb9 (git) before 3c645c6f7e5470debbb81666b230056de48f36dc
affected

f92ee31e031c7819126d2febdda0c3e91f5d2eb9 (git) before a4376d9a5d4c9610e69def3fc0b32c86a7ab7a41
affected

Default status
affected

6.16
affected

Any version before 6.16
unaffected

6.1.168 (semver)
unaffected

6.6.131 (semver)
unaffected

6.12.80 (semver)
unaffected

6.18.21 (semver)
unaffected

6.19.11 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/416484f21a9d1280cf6daa7ebc10c79b59c46e48

git.kernel.org/...c/94054ffd311a1f76b7093ba8ebf50bdb0d28337c

git.kernel.org/...c/1737ddeafbb1304f41ec2eede4f7366082e7c96a

git.kernel.org/...c/3c844d01f9874a43004c82970d8da94f9aba8949

git.kernel.org/...c/3c645c6f7e5470debbb81666b230056de48f36dc

git.kernel.org/...c/a4376d9a5d4c9610e69def3fc0b32c86a7ab7a41

cve.org (CVE-2026-31434)

nvd.nist.gov (CVE-2026-31434)

Download JSON