CVE-2025-40209

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation<br /> <br /> When btrfs_add_qgroup_relation() is called with invalid qgroup levels<br /> (src &gt;= dst), the function returns -EINVAL directly without freeing the<br /> preallocated qgroup_list structure passed by the caller. This causes a<br /> memory leak because the caller unconditionally sets the pointer to NULL<br /> after the call, preventing any cleanup.<br /> <br /> The issue occurs because the level validation check happens before the<br /> mutex is acquired and before any error handling path that would free<br /> the prealloc pointer. On this early return, the cleanup code at the<br /> &amp;#39;out&amp;#39; label (which includes kfree(prealloc)) is never reached.<br /> <br /> In btrfs_ioctl_qgroup_assign(), the code pattern is:<br /> <br /> prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL);<br /> ret = btrfs_add_qgroup_relation(trans, sa-&gt;src, sa-&gt;dst, prealloc);<br /> prealloc = NULL; // Always set to NULL regardless of return value<br /> ...<br /> kfree(prealloc); // This becomes kfree(NULL), does nothing<br /> <br /> When the level check fails, &amp;#39;prealloc&amp;#39; is never freed by either the<br /> callee or the caller, resulting in a 64-byte memory leak per failed<br /> operation. This can be triggered repeatedly by an unprivileged user<br /> with access to a writable btrfs mount, potentially exhausting kernel<br /> memory.<br /> <br /> Fix this by freeing prealloc before the early return, ensuring prealloc<br /> is always freed on all error paths.