CVE-2026-45920

HIGH

ext4: fix dirtyclusters double decrement on fs shutdown

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: ext4: fix dirtyclusters double decrement on fs shutdown fstests test generic/388 occasionally reproduces a warning in ext4_put_super() associated with the dirty clusters count: WARNING: CPU: 7 PID: 76064 at fs/ext4/super.c:1324 ext4_put_super+0x48c/0x590 [ext4] Tracing the failure shows that the warning fires due to an s_dirtyclusters_counter value of -1. IOW, this appears to be a spurious decrement as opposed to some sort of leak. Further tracing of the dirty cluster count deltas and an LLM scan of the resulting output identified the cause as a double decrement in the error path between ext4_mb_mark_diskspace_used() and the caller ext4_mb_new_blocks(). First, note that generic/388 is a shutdown vs. fsstress test and so produces a random set of operations and shutdown injections. In the problematic case, the shutdown triggers an error return from the ext4_handle_dirty_metadata() call(s) made from ext4_mb_mark_context(). The changed value is non-zero at this point, so ext4_mb_mark_diskspace_used() does not exit after the error bubbles up from ext4_mb_mark_context(). Instead, the former decrements both cluster counters and returns the error up to ext4_mb_new_blocks(). The latter falls into the !ar->len out path which decrements the dirty clusters counter a second time, creating the inconsistency. To avoid this problem and simplify ownership of the cluster reservation in this codepath, lift the counter reduction to a single place in the caller. This makes it more clear that ext4_mb_new_blocks() is responsible for acquiring cluster reservation (via ext4_claim_free_clusters()) in the !delalloc case as well as releasing it, regardless of whether it ends up consumed or returned due to failure.

Scores

CVSS v3 7.8
EPSS 0.0015
EPSS Percentile 4.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-415
Status published
Products (26)
linux/Kernel 2.6.29 - 5.10.253linux
linux/Kernel 5.11.0 - 5.15.203linux
linux/Kernel 5.16.0 - 6.1.167linux
linux/Kernel 6.13.0 - 6.18.14linux
linux/Kernel 6.19.0 - 6.19.4linux
linux/Kernel 6.2.0 - 6.6.130linux
linux/Kernel 6.7.0 - 6.12.75linux
Linux/Linux < 2.6.29
Linux/Linux 0087d9fb3f29f59e8d42c8b058376d80e5adde4c - 3924aea2c33df3864929c1acd178bfc29d8f005f
Linux/Linux 0087d9fb3f29f59e8d42c8b058376d80e5adde4c - 523d5a4df3c649fa305c89efb552ec62a1ce9d3d
... and 16 more
Published May 27, 2026
Tracked Since May 27, 2026