CVE-2026-31446

Summary

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix use-after-free in update_super_work when racing with umount

Commit b98535d09179 ("ext4: fix bug_on in start_this_handle during umount filesystem") moved ext4_unregister_sysfs() before flushing s_sb_upd_work to prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups reads during unmount. However, this introduced a use-after-free because update_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() which accesses the kobject's kernfs_node after it has been freed by kobject_del() in ext4_unregister_sysfs():

update_super_work ext4_put_super


                               ext4_unregister_sysfs(sb)
                                 kobject_del(&sbi->s_kobj)
                                   __kobject_del()
                                     sysfs_remove_dir()
                                       kobj->sd = NULL
                                     sysfs_put(sd)
                                       kernfs_put()  // RCU free

ext4_notify_error_sysfs(sbi) sysfs_notify(&sbi->s_kobj) kn = kobj->sd // stale pointer kernfs_get(kn) // UAF on freed kernfs_node ext4_journal_destroy() flush_work(&sbi->s_sb_upd_work)

Instead of reordering the teardown sequence, fix this by making ext4_notify_error_sysfs() detect that sysfs has already been torn down by checking s_kobj.state_in_sysfs, and skipping the sysfs_notify() call in that case. A dedicated mutex (s_error_notify_mutex) serializes ext4_notify_error_sysfs() against kobject_del() in ext4_unregister_sysfs() to prevent TOCTOU races where the kobject could be deleted between the state_in_sysfs check and the sysfs_notify() call.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux52c3a04f9ec2a16a4204d6274db338cb8d5b2d74 < c8fe17a1b308c3d8c703ebfb049b325f844342c3affected
LinuxLinuxb98535d091795a79336f520b0708457aacf55c67 < c4d829737329f2290dd41e290b7d75effdb2a7ffaffected
LinuxLinuxb98535d091795a79336f520b0708457aacf55c67 < 9449f99ba04f5dd1c8423ad8a90b3651d7240d1daffected
LinuxLinuxb98535d091795a79336f520b0708457aacf55c67 < 034053378dd81837fd6c7a43b37ee2e58d4f0b4eaffected
LinuxLinuxb98535d091795a79336f520b0708457aacf55c67 < c97e282f7bfd0c3554c63d289964a5ca6a1d2ffeaffected
LinuxLinuxb98535d091795a79336f520b0708457aacf55c67 < 08b10e6f37fc533a759e9833af0692242e8b3f93affected
LinuxLinuxb98535d091795a79336f520b0708457aacf55c67 < d15e4b0a418537aafa56b2cb80d44add83e83697affected
LinuxLinux585ef03c9e79672781f954daae730dfe24bf3a46affected
LinuxLinuxafe490e48d47df1b3f64012835c1bc2f075a8c8baffected
LinuxLinux5.15.38 < 5.15.203affected
LinuxLinux5.10.114 < 5.11affected
LinuxLinux5.17.6 < 5.18affected
LinuxLinux5.18affected
LinuxLinux0 < 5.18unaffected
LinuxLinux5.15.203 <= 5.15.*unaffected
LinuxLinux6.1.168 <= 6.1.*unaffected
LinuxLinux6.6.131 <= 6.6.*unaffected
LinuxLinux6.12.80 <= 6.12.*unaffected
LinuxLinux6.18.21 <= 6.18.*unaffected
LinuxLinux6.19.11 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References