CVE-2026-31434

Summary

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix leak of kobject name for sub-group space_info

When create_space_info_sub_group() allocates elements of space_info->sub_group[], kobject_init_and_add() is called for each element via btrfs_sysfs_add_space_info_type(). However, when check_removing_space_info() frees these elements, it does not call btrfs_sysfs_remove_space_info() on them. As a result, kobject_put() is not called and the associated kobj->name objects are leaked.

This memory leak is reproduced by running the blktests test case zbd/009 on kernels built with CONFIG_DEBUG_KMEMLEAK. The kmemleak feature reports the following error:

unreferenced object 0xffff888112877d40 (size 16): comm "mount", pid 1244, jiffies 4294996972 hex dump (first 16 bytes): 64 61 74 61 2d 72 65 6c 6f 63 00 c4 c6 a7 cb 7f data-reloc…… backtrace (crc 53ffde4d): __kmalloc_node_track_caller_noprof+0x619/0x870 kstrdup+0x42/0xc0 kobject_set_name_vargs+0x44/0x110 kobject_init_and_add+0xcf/0x150 btrfs_sysfs_add_space_info_type+0xfc/0x210 [btrfs] create_space_info_sub_group.constprop.0+0xfb/0x1b0 [btrfs] create_space_info+0x211/0x320 [btrfs] btrfs_init_space_info+0x15a/0x1b0 [btrfs] open_ctree+0x33c7/0x4a50 [btrfs] btrfs_get_tree.cold+0x9f/0x1ee [btrfs] vfs_get_tree+0x87/0x2f0 vfs_cmd_create+0xbd/0x280 __do_sys_fsconfig+0x3df/0x990 do_syscall_64+0x136/0x1540 entry_SYSCALL_64_after_hwframe+0x76/0x7e

To avoid the leak, call btrfs_sysfs_remove_space_info() instead of kfree() for the elements.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux64c7ddda83acfbaa0efb381a1928ce908c584607 < 416484f21a9d1280cf6daa7ebc10c79b59c46e48affected
LinuxLinux0bd151ce4200ca847990e05cca29a76456982ca5 < 94054ffd311a1f76b7093ba8ebf50bdb0d28337caffected
LinuxLinux190d5a7c4fe42b8c9aa46e3336389e7cb10395bb < 1737ddeafbb1304f41ec2eede4f7366082e7c96aaffected
LinuxLinuxf92ee31e031c7819126d2febdda0c3e91f5d2eb9 < 3c844d01f9874a43004c82970d8da94f9aba8949affected
LinuxLinuxf92ee31e031c7819126d2febdda0c3e91f5d2eb9 < 3c645c6f7e5470debbb81666b230056de48f36dcaffected
LinuxLinuxf92ee31e031c7819126d2febdda0c3e91f5d2eb9 < a4376d9a5d4c9610e69def3fc0b32c86a7ab7a41affected
LinuxLinux6.1.162 < 6.1.168affected
LinuxLinux6.6.122 < 6.6.131affected
LinuxLinux6.12.67 < 6.12.80affected
LinuxLinux6.16affected
LinuxLinux0 < 6.16unaffected
LinuxLinux6.1.168 <= 6.1.*unaffected
LinuxLinux6.6.131 <= 6.6.*unaffected
LinuxLinux6.12.80 <= 6.12.*unaffected
LinuxLinux6.18.21 <= 6.18.*unaffected
LinuxLinux6.19.11 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References