gfs2: Fix use-after-free in iomap inline data write path

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

gfs2: Fix use-after-free in iomap inline data write path

The inline data buffer head (dibh) is being released prematurely in
gfs2_iomap_begin() via release_metapath() while iomap->inline_data
still points to dibh->b_data. This causes a use-after-free when
iomap_write_end_inline() later attempts to write to the inline data
area.

The bug sequence:
1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode
metadata into dibh
2. Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode)
3. Calls release_metapath() which calls brelse(dibh), dropping refcount
to 0
4. kswapd reclaims the page (~39ms later in the syzbot report)
5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data
6. KASAN detects use-after-free write to freed memory

Fix by storing dibh in iomap->private and incrementing its refcount
with get_bh() in gfs2_iomap_begin(). The buffer is then properly
released in gfs2_iomap_end() after the inline write completes,
ensuring the page stays alive for the entire iomap operation.

Note: A C reproducer is not available for this issue. The fix is based
on analysis of the KASAN report and code review showing the buffer head
is freed before use.

[agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid
leaks in gfs2_iomap_get() and gfs2_iomap_alloc().]

Basic Information

ID CVE-2026-45984

Source Linux

Published May 27, 2026 at 12:18

Modified May 30, 2026 at 10:46

Affected Product

Vendor Linux

Product Linux

Version d0a22a4b03b8475b7aa3fa41243c26c291407844

Affected Versions Linux Linux d0a22a4b03b8475b7aa3fa41243c26c291407844
Linux Linux d0a22a4b03b8475b7aa3fa41243c26c291407844
Linux Linux d0a22a4b03b8475b7aa3fa41243c26c291407844
Linux Linux d0a22a4b03b8475b7aa3fa41243c26c291407844
Linux Linux d0a22a4b03b8475b7aa3fa41243c26c291407844
Linux Linux d0a22a4b03b8475b7aa3fa41243c26c291407844
Linux Linux d0a22a4b03b8475b7aa3fa41243c26c291407844
Linux Linux d0a22a4b03b8475b7aa3fa41243c26c291407844
Linux Linux 5.2

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix use-after-free in iomap inline data write path\n\nThe inline data buffer head (dibh) is being released prematurely in\ngfs2_iomap_begin() via release_metapath() while iomap->inline_data\nstill points to dibh->b_data. This causes a use-after-free when\niomap_write_end_inline() later attempts to write to the inline data\narea.\n\nThe bug sequence:\n1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode\n   metadata into dibh\n2. Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode)\n3. Calls release_metapath() which calls brelse(dibh), dropping refcount\n   to 0\n4. kswapd reclaims the page (~39ms later in the syzbot report)\n5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data\n6. KASAN detects use-after-free write to freed memory\n\nFix by storing dibh in iomap->private and incrementing its refcount\nwith get_bh() in gfs2_iomap_begin(). The buffer is then properly\nreleased in gfs2_iomap_end() after the inline write completes,\nensuring the page stays alive for the entire iomap operation.\n\nNote: A C reproducer is not available for this issue. The fix is based\non analysis of the KASAN report and code review showing the buffer head\nis freed before use.\n\n[agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid\nleaks in gfs2_iomap_get() and gfs2_iomap_alloc().]",
    "published": "2026-05-27T12:18:42.964Z",
    "modified": "2026-05-30T10:46:25.407Z",
    "type": "cve",
    "title": "gfs2: Fix use-after-free in iomap inline data write path",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/1403989d1b502f4a2c0d0b42ccf1c25748442eff\nhttps://git.kernel.org/stable/c/1cae1bafdf9caa9b462b19af06b1a06902e4e142\nhttps://git.kernel.org/stable/c/764c3c84b5683e608f43735c803a5f415046686c\nhttps://git.kernel.org/stable/c/d87268326b277af3665237ac76a73dd9fa8e21b4\nhttps://git.kernel.org/stable/c/87d4954b5c59735a99ea98cb208d47130f6dce7d\nhttps://git.kernel.org/stable/c/6d76febba07c40bcf358f63216d36ea68cf1c215\nhttps://git.kernel.org/stable/c/815ddd27c0c7171a99fe802fdb19098ddef8b19d\nhttps://git.kernel.org/stable/c/faddeb848305e79db89ee0479bb0e33380656321",
    "id": "CVE-2026-45984",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux d0a22a4b03b8475b7aa3fa41243c26c291407844\nLinux Linux d0a22a4b03b8475b7aa3fa41243c26c291407844\nLinux Linux d0a22a4b03b8475b7aa3fa41243c26c291407844\nLinux Linux d0a22a4b03b8475b7aa3fa41243c26c291407844\nLinux Linux d0a22a4b03b8475b7aa3fa41243c26c291407844\nLinux Linux d0a22a4b03b8475b7aa3fa41243c26c291407844\nLinux Linux d0a22a4b03b8475b7aa3fa41243c26c291407844\nLinux Linux d0a22a4b03b8475b7aa3fa41243c26c291407844\nLinux Linux 5.2",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "d0a22a4b03b8475b7aa3fa41243c26c291407844",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

gfs2: Fix use-after-free in iomap inline data write path_CVE-2026-45984

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply