Home

Description

In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix use-after-free in iomap inline data write path The inline data buffer head (dibh) is being released prematurely in gfs2_iomap_begin() via release_metapath() while iomap->inline_data still points to dibh->b_data. This causes a use-after-free when iomap_write_end_inline() later attempts to write to the inline data area. The bug sequence: 1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode metadata into dibh 2. Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode) 3. Calls release_metapath() which calls brelse(dibh), dropping refcount to 0 4. kswapd reclaims the page (~39ms later in the syzbot report) 5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data 6. KASAN detects use-after-free write to freed memory Fix by storing dibh in iomap->private and incrementing its refcount with get_bh() in gfs2_iomap_begin(). The buffer is then properly released in gfs2_iomap_end() after the inline write completes, ensuring the page stays alive for the entire iomap operation. Note: A C reproducer is not available for this issue. The fix is based on analysis of the KASAN report and code review showing the buffer head is freed before use. [agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid leaks in gfs2_iomap_get() and gfs2_iomap_alloc().]

PUBLISHED Reserved 2026-05-13 | Published 2026-05-27 | Updated 2026-05-30 | Assigner Linux




HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Product status

Default status
unaffected

d0a22a4b03b8475b7aa3fa41243c26c291407844 (git) before 1403989d1b502f4a2c0d0b42ccf1c25748442eff
affected

d0a22a4b03b8475b7aa3fa41243c26c291407844 (git) before 1cae1bafdf9caa9b462b19af06b1a06902e4e142
affected

d0a22a4b03b8475b7aa3fa41243c26c291407844 (git) before 764c3c84b5683e608f43735c803a5f415046686c
affected

d0a22a4b03b8475b7aa3fa41243c26c291407844 (git) before d87268326b277af3665237ac76a73dd9fa8e21b4
affected

d0a22a4b03b8475b7aa3fa41243c26c291407844 (git) before 87d4954b5c59735a99ea98cb208d47130f6dce7d
affected

d0a22a4b03b8475b7aa3fa41243c26c291407844 (git) before 6d76febba07c40bcf358f63216d36ea68cf1c215
affected

d0a22a4b03b8475b7aa3fa41243c26c291407844 (git) before 815ddd27c0c7171a99fe802fdb19098ddef8b19d
affected

d0a22a4b03b8475b7aa3fa41243c26c291407844 (git) before faddeb848305e79db89ee0479bb0e33380656321
affected

Default status
affected

5.2
affected

Any version before 5.2
unaffected

5.10.252 (semver)
unaffected

5.15.202 (semver)
unaffected

6.1.165 (semver)
unaffected

6.6.128 (semver)
unaffected

6.12.75 (semver)
unaffected

6.18.14 (semver)
unaffected

6.19.4 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/1403989d1b502f4a2c0d0b42ccf1c25748442eff

git.kernel.org/...c/1cae1bafdf9caa9b462b19af06b1a06902e4e142

git.kernel.org/...c/764c3c84b5683e608f43735c803a5f415046686c

git.kernel.org/...c/d87268326b277af3665237ac76a73dd9fa8e21b4

git.kernel.org/...c/87d4954b5c59735a99ea98cb208d47130f6dce7d

git.kernel.org/...c/6d76febba07c40bcf358f63216d36ea68cf1c215

git.kernel.org/...c/815ddd27c0c7171a99fe802fdb19098ddef8b19d

git.kernel.org/...c/faddeb848305e79db89ee0479bb0e33380656321

cve.org (CVE-2026-45984)

nvd.nist.gov (CVE-2026-45984)

Download JSON