CVE-2026-31434
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix leak of kobject name for sub-group space_info
When create_space_info_sub_group() allocates elements of space_info->sub_group[], kobject_init_and_add() is called for each element via btrfs_sysfs_add_space_info_type(). However, when check_removing_space_info() frees these elements, it does not call btrfs_sysfs_remove_space_info() on them. As a result, kobject_put() is not called and the associated kobj->name objects are leaked.
This memory leak is reproduced by running the blktests test case zbd/009 on kernels built with CONFIG_DEBUG_KMEMLEAK. The kmemleak feature reports the following error:
unreferenced object 0xffff888112877d40 (size 16): comm "mount", pid 1244, jiffies 4294996972 hex dump (first 16 bytes): 64 61 74 61 2d 72 65 6c 6f 63 00 c4 c6 a7 cb 7f data-reloc…… backtrace (crc 53ffde4d): __kmalloc_node_track_caller_noprof+0x619/0x870 kstrdup+0x42/0xc0 kobject_set_name_vargs+0x44/0x110 kobject_init_and_add+0xcf/0x150 btrfs_sysfs_add_space_info_type+0xfc/0x210 [btrfs] create_space_info_sub_group.constprop.0+0xfb/0x1b0 [btrfs] create_space_info+0x211/0x320 [btrfs] btrfs_init_space_info+0x15a/0x1b0 [btrfs] open_ctree+0x33c7/0x4a50 [btrfs] btrfs_get_tree.cold+0x9f/0x1ee [btrfs] vfs_get_tree+0x87/0x2f0 vfs_cmd_create+0xbd/0x280 __do_sys_fsconfig+0x3df/0x990 do_syscall_64+0x136/0x1540 entry_SYSCALL_64_after_hwframe+0x76/0x7e
To avoid the leak, call btrfs_sysfs_remove_space_info() instead of kfree() for the elements.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 64c7ddda83acfbaa0efb381a1928ce908c584607 < 416484f21a9d1280cf6daa7ebc10c79b59c46e48 | affected |
| Linux | Linux | 0bd151ce4200ca847990e05cca29a76456982ca5 < 94054ffd311a1f76b7093ba8ebf50bdb0d28337c | affected |
| Linux | Linux | 190d5a7c4fe42b8c9aa46e3336389e7cb10395bb < 1737ddeafbb1304f41ec2eede4f7366082e7c96a | affected |
| Linux | Linux | f92ee31e031c7819126d2febdda0c3e91f5d2eb9 < 3c844d01f9874a43004c82970d8da94f9aba8949 | affected |
| Linux | Linux | f92ee31e031c7819126d2febdda0c3e91f5d2eb9 < 3c645c6f7e5470debbb81666b230056de48f36dc | affected |
| Linux | Linux | f92ee31e031c7819126d2febdda0c3e91f5d2eb9 < a4376d9a5d4c9610e69def3fc0b32c86a7ab7a41 | affected |
| Linux | Linux | 6.1.162 < 6.1.168 | affected |
| Linux | Linux | 6.6.122 < 6.6.131 | affected |
| Linux | Linux | 6.12.67 < 6.12.80 | affected |
| Linux | Linux | 6.16 | affected |
| Linux | Linux | 0 < 6.16 | unaffected |
| Linux | Linux | 6.1.168 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.131 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.80 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.21 <= 6.18.* | unaffected |
| Linux | Linux | 6.19.11 <= 6.19.* | unaffected |
| Linux | Linux | 7.0 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/416484f21a9d1280cf6daa7ebc10c79b59c46e48
- https://git.kernel.org/stable/c/94054ffd311a1f76b7093ba8ebf50bdb0d28337c
- https://git.kernel.org/stable/c/1737ddeafbb1304f41ec2eede4f7366082e7c96a
- https://git.kernel.org/stable/c/3c844d01f9874a43004c82970d8da94f9aba8949
- https://git.kernel.org/stable/c/3c645c6f7e5470debbb81666b230056de48f36dc
- https://git.kernel.org/stable/c/a4376d9a5d4c9610e69def3fc0b32c86a7ab7a41
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.