CVE-2026-45920
Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-415
Doble liberación
Fecha de publicación:
27/05/2026
Última modificación:
24/06/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ext4: fix dirtyclusters double decrement on fs shutdown<br />
<br />
fstests test generic/388 occasionally reproduces a warning in<br />
ext4_put_super() associated with the dirty clusters count:<br />
<br />
WARNING: CPU: 7 PID: 76064 at fs/ext4/super.c:1324 ext4_put_super+0x48c/0x590 [ext4]<br />
<br />
Tracing the failure shows that the warning fires due to an<br />
s_dirtyclusters_counter value of -1. IOW, this appears to be a<br />
spurious decrement as opposed to some sort of leak. Further tracing<br />
of the dirty cluster count deltas and an LLM scan of the resulting<br />
output identified the cause as a double decrement in the error path<br />
between ext4_mb_mark_diskspace_used() and the caller<br />
ext4_mb_new_blocks().<br />
<br />
First, note that generic/388 is a shutdown vs. fsstress test and so<br />
produces a random set of operations and shutdown injections. In the<br />
problematic case, the shutdown triggers an error return from the<br />
ext4_handle_dirty_metadata() call(s) made from<br />
ext4_mb_mark_context(). The changed value is non-zero at this point,<br />
so ext4_mb_mark_diskspace_used() does not exit after the error<br />
bubbles up from ext4_mb_mark_context(). Instead, the former<br />
decrements both cluster counters and returns the error up to<br />
ext4_mb_new_blocks(). The latter falls into the !ar->len out path<br />
which decrements the dirty clusters counter a second time, creating<br />
the inconsistency.<br />
<br />
To avoid this problem and simplify ownership of the cluster<br />
reservation in this codepath, lift the counter reduction to a single<br />
place in the caller. This makes it more clear that<br />
ext4_mb_new_blocks() is responsible for acquiring cluster<br />
reservation (via ext4_claim_free_clusters()) in the !delalloc case<br />
as well as releasing it, regardless of whether it ends up consumed<br />
or returned due to failure.
Impacto
Puntuación base 3.x
7.80
Gravedad 3.x
ALTA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 2.6.29 (incluyendo) | 5.10.253 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (incluyendo) | 5.15.203 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (incluyendo) | 6.1.167 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (incluyendo) | 6.6.130 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (incluyendo) | 6.12.75 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (incluyendo) | 6.18.14 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (incluyendo) | 6.19.4 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/3924aea2c33df3864929c1acd178bfc29d8f005f
- https://git.kernel.org/stable/c/523d5a4df3c649fa305c89efb552ec62a1ce9d3d
- https://git.kernel.org/stable/c/55576fa14771d33994c29a9ae960e07bb3f56c20
- https://git.kernel.org/stable/c/61e372122b6d95aec940fdaea0a16f988f359897
- https://git.kernel.org/stable/c/81982a11406c5da6c6e2b188028e7056e16b7128
- https://git.kernel.org/stable/c/94a8cea54cd935c54fa2fba70354757c0fc245e3
- https://git.kernel.org/stable/c/ca408af08544d96769c93a3d81a7f63f61129e95
- https://git.kernel.org/stable/c/dbc4e10619ed87a50e637b96f2e574df36a7a769



