{"id":"CVE-2024-39276","summary":"ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()\n\nSyzbot reports a warning as follows:\n\n============================================\nWARNING: CPU: 0 PID: 5075 at fs/mbcache.c:419 mb_cache_destroy+0x224/0x290\nModules linked in:\nCPU: 0 PID: 5075 Comm: syz-executor199 Not tainted 6.9.0-rc6-gb947cc5bf6d7\nRIP: 0010:mb_cache_destroy+0x224/0x290 fs/mbcache.c:419\nCall Trace:\n \u003cTASK\u003e\n ext4_put_super+0x6d4/0xcd0 fs/ext4/super.c:1375\n generic_shutdown_super+0x136/0x2d0 fs/super.c:641\n kill_block_super+0x44/0x90 fs/super.c:1675\n ext4_kill_sb+0x68/0xa0 fs/ext4/super.c:7327\n[...]\n============================================\n\nThis is because when finding an entry in ext4_xattr_block_cache_find(), if\next4_sb_bread() returns -ENOMEM, the ce's e_refcnt, which has already grown\nin the __entry_find(), won't be put away, and eventually trigger the above\nissue in mb_cache_destroy() due to reference count leakage.\n\nSo call mb_cache_entry_put() on the -ENOMEM error branch as a quick fix.","modified":"2026-03-20T12:37:12.972950Z","published":"2024-06-25T14:22:38.886Z","related":["ALSA-2024:5101","MGASA-2024-0263","MGASA-2024-0266","SUSE-SU-2024:2802-1","SUSE-SU-2024:2894-1","SUSE-SU-2024:2896-1","SUSE-SU-2024:2939-1","SUSE-SU-2024:2947-1","SUSE-SU-2024:2973-1","SUSE-SU-2025:20008-1","SUSE-SU-2025:20028-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/39xxx/CVE-2024-39276.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0c0b4a49d3e7f49690a6827a41faeffad5df7e21"},{"type":"WEB","url":"https://git.kernel.org/stable/c/681ff9a09accd8a4379f8bd30b7a1641ee19bb3e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/76dc776153a47372719d664e0fc50d6355791abb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/896a7e7d0d555ad8b2b46af0c2fa7de7467f9483"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9ad75e78747b5a50dc5a52f0f8e92e920a653f16"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a95df6f04f2c37291adf26a74205cde0314d4577"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b37c0edef4e66fb21a2fbc211471195a383e5ab8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e941b712e758f615d311946bf98216e79145ccd9"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/39xxx/CVE-2024-39276.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39276"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b878c8a7f08f0c225b6a46ba1ac867e9c5d17807"},{"fixed":"9ad75e78747b5a50dc5a52f0f8e92e920a653f16"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"fb265c9cb49e2074ddcdd4de99728aefdd3b3592"},{"fixed":"896a7e7d0d555ad8b2b46af0c2fa7de7467f9483"},{"fixed":"76dc776153a47372719d664e0fc50d6355791abb"},{"fixed":"681ff9a09accd8a4379f8bd30b7a1641ee19bb3e"},{"fixed":"e941b712e758f615d311946bf98216e79145ccd9"},{"fixed":"a95df6f04f2c37291adf26a74205cde0314d4577"},{"fixed":"b37c0edef4e66fb21a2fbc211471195a383e5ab8"},{"fixed":"0c0b4a49d3e7f49690a6827a41faeffad5df7e21"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"9da1f6d06b7a6d068e68fcfd7cbbf6b586d888e1"},{"last_affected":"81313ed2c705d958744882a269bf4a5e3ddec95e"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-39276.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}