CVE-2026-45984
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
gfs2: Fix use-after-free in iomap inline data write path
The inline data buffer head (dibh) is being released prematurely in gfs2_iomap_begin() via release_metapath() while iomap->inline_data still points to dibh->b_data. This causes a use-after-free when iomap_write_end_inline() later attempts to write to the inline data area.
The bug sequence:
- gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode metadata into dibh
- Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode)
- Calls release_metapath() which calls brelse(dibh), dropping refcount to 0
- kswapd reclaims the page (~39ms later in the syzbot report)
- iomap_write_end_inline() tries to memcpy() to iomap->inline_data
- KASAN detects use-after-free write to freed memory
Fix by storing dibh in iomap->private and incrementing its refcount with get_bh() in gfs2_iomap_begin(). The buffer is then properly released in gfs2_iomap_end() after the inline write completes, ensuring the page stays alive for the entire iomap operation.
Note: A C reproducer is not available for this issue. The fix is based on analysis of the KASAN report and code review showing the buffer head is freed before use.
[agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid leaks in gfs2_iomap_get() and gfs2_iomap_alloc().]
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | d0a22a4b03b8475b7aa3fa41243c26c291407844 < 1403989d1b502f4a2c0d0b42ccf1c25748442eff | affected |
| Linux | Linux | d0a22a4b03b8475b7aa3fa41243c26c291407844 < 1cae1bafdf9caa9b462b19af06b1a06902e4e142 | affected |
| Linux | Linux | d0a22a4b03b8475b7aa3fa41243c26c291407844 < 764c3c84b5683e608f43735c803a5f415046686c | affected |
| Linux | Linux | d0a22a4b03b8475b7aa3fa41243c26c291407844 < d87268326b277af3665237ac76a73dd9fa8e21b4 | affected |
| Linux | Linux | d0a22a4b03b8475b7aa3fa41243c26c291407844 < 87d4954b5c59735a99ea98cb208d47130f6dce7d | affected |
| Linux | Linux | d0a22a4b03b8475b7aa3fa41243c26c291407844 < 6d76febba07c40bcf358f63216d36ea68cf1c215 | affected |
| Linux | Linux | d0a22a4b03b8475b7aa3fa41243c26c291407844 < 815ddd27c0c7171a99fe802fdb19098ddef8b19d | affected |
| Linux | Linux | d0a22a4b03b8475b7aa3fa41243c26c291407844 < faddeb848305e79db89ee0479bb0e33380656321 | affected |
| Linux | Linux | 5.2 | affected |
| Linux | Linux | 0 < 5.2 | unaffected |
| Linux | Linux | 5.10.252 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.202 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.165 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.128 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.75 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.14 <= 6.18.* | unaffected |
| Linux | Linux | 6.19.4 <= 6.19.* | unaffected |
| Linux | Linux | 7.0 <= * | unaffected |
Weaknesses
ADP Enrichment
kernel: gfs2: Fix use-after-free in iomap inline data write path
Additional References
- https://access.redhat.com/security/cve/CVE-2026-45984
- https://bugzilla.redhat.com/show_bug.cgi?id=2481922
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45984.json
- https://access.redhat.com/errata/RHSA-2026:27789
- https://access.redhat.com/errata/RHSA-2026:33743
References
- https://git.kernel.org/stable/c/1403989d1b502f4a2c0d0b42ccf1c25748442eff
- https://git.kernel.org/stable/c/1cae1bafdf9caa9b462b19af06b1a06902e4e142
- https://git.kernel.org/stable/c/764c3c84b5683e608f43735c803a5f415046686c
- https://git.kernel.org/stable/c/d87268326b277af3665237ac76a73dd9fa8e21b4
- https://git.kernel.org/stable/c/87d4954b5c59735a99ea98cb208d47130f6dce7d
- https://git.kernel.org/stable/c/6d76febba07c40bcf358f63216d36ea68cf1c215
- https://git.kernel.org/stable/c/815ddd27c0c7171a99fe802fdb19098ddef8b19d
- https://git.kernel.org/stable/c/faddeb848305e79db89ee0479bb0e33380656321
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.