{"id":"CVE-2026-45984","summary":"gfs2: Fix use-after-free in iomap inline data write path","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix use-after-free in iomap inline data write path\n\nThe inline data buffer head (dibh) is being released prematurely in\ngfs2_iomap_begin() via release_metapath() while iomap-\u003einline_data\nstill points to dibh-\u003eb_data. This causes a use-after-free when\niomap_write_end_inline() later attempts to write to the inline data\narea.\n\nThe bug sequence:\n1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode\n   metadata into dibh\n2. Sets iomap-\u003einline_data = dibh-\u003eb_data + sizeof(struct gfs2_dinode)\n3. Calls release_metapath() which calls brelse(dibh), dropping refcount\n   to 0\n4. kswapd reclaims the page (~39ms later in the syzbot report)\n5. iomap_write_end_inline() tries to memcpy() to iomap-\u003einline_data\n6. KASAN detects use-after-free write to freed memory\n\nFix by storing dibh in iomap-\u003eprivate and incrementing its refcount\nwith get_bh() in gfs2_iomap_begin(). The buffer is then properly\nreleased in gfs2_iomap_end() after the inline write completes,\nensuring the page stays alive for the entire iomap operation.\n\nNote: A C reproducer is not available for this issue. The fix is based\non analysis of the KASAN report and code review showing the buffer head\nis freed before use.\n\n[agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid\nleaks in gfs2_iomap_get() and gfs2_iomap_alloc().]","modified":"2026-06-01T03:55:47.058385744Z","published":"2026-05-27T12:18:42.964Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45984.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1403989d1b502f4a2c0d0b42ccf1c25748442eff"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1cae1bafdf9caa9b462b19af06b1a06902e4e142"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6d76febba07c40bcf358f63216d36ea68cf1c215"},{"type":"WEB","url":"https://git.kernel.org/stable/c/764c3c84b5683e608f43735c803a5f415046686c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/815ddd27c0c7171a99fe802fdb19098ddef8b19d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/87d4954b5c59735a99ea98cb208d47130f6dce7d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d87268326b277af3665237ac76a73dd9fa8e21b4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/faddeb848305e79db89ee0479bb0e33380656321"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45984.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45984"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d0a22a4b03b8475b7aa3fa41243c26c291407844"},{"fixed":"1403989d1b502f4a2c0d0b42ccf1c25748442eff"},{"fixed":"1cae1bafdf9caa9b462b19af06b1a06902e4e142"},{"fixed":"764c3c84b5683e608f43735c803a5f415046686c"},{"fixed":"d87268326b277af3665237ac76a73dd9fa8e21b4"},{"fixed":"87d4954b5c59735a99ea98cb208d47130f6dce7d"},{"fixed":"6d76febba07c40bcf358f63216d36ea68cf1c215"},{"fixed":"815ddd27c0c7171a99fe802fdb19098ddef8b19d"},{"fixed":"faddeb848305e79db89ee0479bb0e33380656321"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45984.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.2.0"},{"fixed":"5.10.252"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.202"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.165"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.128"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.75"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.14"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45984.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}