CVE-2026-45961

Summary

In the Linux kernel, the following vulnerability has been resolved:

gfs2: fix memory leaks in gfs2_fill_super error path

Fix two memory leaks in the gfs2_fill_super() error handling path when transitioning a filesystem to read-write mode fails.

First leak: kthread objects (thread_struct, task_struct, etc.) When gfs2_freeze_lock_shared() fails after init_threads() succeeds, the created kernel threads (logd and quotad) are never destroyed. This occurs because the fail_per_node label doesn't call gfs2_destroy_threads().

Second leak: quota bitmap buffer (8192 bytes) When gfs2_make_fs_rw() fails after gfs2_quota_init() succeeds but before other operations complete, the allocated quota bitmap is never freed.

The fix moves thread cleanup to the fail_per_node label to handle all error paths uniformly. gfs2_destroy_threads() is safe to call unconditionally as it checks for NULL pointers. Quota cleanup is added in gfs2_make_fs_rw() to properly handle the withdrawal case where quota initialization succeeds but the filesystem is then withdrawn.

Thread leak backtrace (gfs2_freeze_lock_shared failure): unreferenced object 0xffff88801d7bca80 (size 4480): copy_process+0x3a1/0x4670 kernel/fork.c:2422 kernel_clone+0xf3/0x6e0 kernel/fork.c:2779 kthread_create_on_node+0x100/0x150 kernel/kthread.c:478 init_threads+0xab/0x350 fs/gfs2/ops_fstype.c:611 gfs2_fill_super+0xe5c/0x1240 fs/gfs2/ops_fstype.c:1265

Quota leak backtrace (gfs2_make_fs_rw failure): unreferenced object 0xffff88812de7c000 (size 8192): gfs2_quota_init+0xe5/0x820 fs/gfs2/quota.c:1409 gfs2_make_fs_rw+0x7a/0xe0 fs/gfs2/super.c:149 gfs2_fill_super+0xfbb/0x1240 fs/gfs2/ops_fstype.c:1275

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxb66f723bb552ad59c2acb5d45ea45c890f84498b < e54229ecf49add8451d5f765a32c86ab4446e06caffected
LinuxLinuxb66f723bb552ad59c2acb5d45ea45c890f84498b < da6f5bbc2e7902f578b503f2a4c3d8d09ca4b102affected
LinuxLinux2f8623377f3e0cfaa80558631b8694d02a492b4caffected
LinuxLinuxc713ebf2fe3f469e4af4de60a3427689ffb7c5d7affected
LinuxLinuxc2191e507147b1a22e9170ebb2aaa0f2902fcbfaaffected
LinuxLinux9fc32dad3cdba18669c71893f3e6d96905b39b3faffected
LinuxLinux5.10.173 < 5.11affected
LinuxLinux5.15.99 < 5.16affected
LinuxLinux6.1.16 < 6.2affected
LinuxLinux6.2.3 < 6.3affected
LinuxLinux6.3affected
LinuxLinux0 < 6.3unaffected
LinuxLinux6.19.4 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References