ext4: fix dirtyclusters double decrement on fs shutdown
Summary
| CVE | CVE-2026-45920 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-27 14:17:06 UTC |
| Updated | 2026-05-27 14:48:03 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: ext4: fix dirtyclusters double decrement on fs shutdown fstests test generic/388 occasionally reproduces a warning in ext4_put_super() associated with the dirty clusters count: WARNING: CPU: 7 PID: 76064 at fs/ext4/super.c:1324 ext4_put_super+0x48c/0x590 [ext4] Tracing the failure shows that the warning fires due to an s_dirtyclusters_counter value of -1. IOW, this appears to be a spurious decrement as opposed to some sort of leak. Further tracing of the dirty cluster count deltas and an LLM scan of the resulting output identified the cause as a double decrement in the error path between ext4_mb_mark_diskspace_used() and the caller ext4_mb_new_blocks(). First, note that generic/388 is a shutdown vs. fsstress test and so produces a random set of operations and shutdown injections. In the problematic case, the shutdown triggers an error return from the ext4_handle_dirty_metadata() call(s) made from ext4_mb_mark_context(). The changed value is non-zero at this point, so ext4_mb_mark_diskspace_used() does not exit after the error bubbles up from ext4_mb_mark_context(). Instead, the former decrements both cluster counters and returns the error up to ext4_mb_new_blocks(). The latter falls into the !ar->len out path which decrements the dirty clusters counter a second time, creating the inconsistency. To avoid this problem and simplify ownership of the cluster reservation in this codepath, lift the counter reduction to a single place in the caller. This makes it more clear that ext4_mb_new_blocks() is responsible for acquiring cluster reservation (via ext4_claim_free_clusters()) in the !delalloc case as well as releasing it, regardless of whether it ends up consumed or returned due to failure. |
Risk And Classification
EPSS: 0.000240000 probability, percentile 0.073320000 (date 2026-06-01)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 0087d9fb3f29f59e8d42c8b058376d80e5adde4c 523d5a4df3c649fa305c89efb552ec62a1ce9d3d git | Not specified |
| CNA | Linux | Linux | affected 0087d9fb3f29f59e8d42c8b058376d80e5adde4c ca408af08544d96769c93a3d81a7f63f61129e95 git | Not specified |
| CNA | Linux | Linux | affected 0087d9fb3f29f59e8d42c8b058376d80e5adde4c 55576fa14771d33994c29a9ae960e07bb3f56c20 git | Not specified |
| CNA | Linux | Linux | affected 0087d9fb3f29f59e8d42c8b058376d80e5adde4c dbc4e10619ed87a50e637b96f2e574df36a7a769 git | Not specified |
| CNA | Linux | Linux | affected 0087d9fb3f29f59e8d42c8b058376d80e5adde4c 61e372122b6d95aec940fdaea0a16f988f359897 git | Not specified |
| CNA | Linux | Linux | affected 0087d9fb3f29f59e8d42c8b058376d80e5adde4c 3924aea2c33df3864929c1acd178bfc29d8f005f git | Not specified |
| CNA | Linux | Linux | affected 0087d9fb3f29f59e8d42c8b058376d80e5adde4c 81982a11406c5da6c6e2b188028e7056e16b7128 git | Not specified |
| CNA | Linux | Linux | affected 0087d9fb3f29f59e8d42c8b058376d80e5adde4c 94a8cea54cd935c54fa2fba70354757c0fc245e3 git | Not specified |
| CNA | Linux | Linux | affected 2.6.29 | Not specified |
| CNA | Linux | Linux | unaffected 2.6.29 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.253 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.203 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.167 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.130 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.75 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.14 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.19.4 6.19.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/81982a11406c5da6c6e2b188028e7056e16b7128 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/61e372122b6d95aec940fdaea0a16f988f359897 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/55576fa14771d33994c29a9ae960e07bb3f56c20 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/3924aea2c33df3864929c1acd178bfc29d8f005f | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/ca408af08544d96769c93a3d81a7f63f61129e95 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/94a8cea54cd935c54fa2fba70354757c0fc245e3 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/dbc4e10619ed87a50e637b96f2e574df36a7a769 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/523d5a4df3c649fa305c89efb552ec62a1ce9d3d | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.