CVE-2026-45961

In the Linux kernel, the following vulnerability has been resolved:

gfs2: fix memory leaks in gfs2 fill super error path

Fix two memory leaks in the gfs2 fill super() error handling path when transitioning a filesystem to read-write mode fails.

First leak: kthread objects (thread struct, task struct, etc.) When gfs2 freeze lock shared() fails after init threads() succeeds, the created kernel threads (logd and quotad) are never destroyed. This occurs because the fail per node label doesn't call gfs2 destroy threads().

Second leak: quota bitmap buffer (8192 bytes) When gfs2 make fs rw() fails after gfs2 quota init() succeeds but before other operations complete, the allocated quota bitmap is never freed.

The fix moves thread cleanup to the fail per node label to handle all error paths uniformly. gfs2 destroy threads() is safe to call unconditionally as it checks for NULL pointers. Quota cleanup is added in gfs2 make fs rw() to properly handle the withdrawal case where quota initialization succeeds but the filesystem is then withdrawn.

Thread leak backtrace (gfs2 freeze lock shared failure): unreferenced object 0xffff88801d7bca80 (size 4480): copy process+0x3a1/0x4670 kernel/fork.c:2422 kernel clone+0xf3/0x6e0 kernel/fork.c:2779 kthread create on node+0x100/0x150 kernel/kthread.c:478 init threads+0xab/0x350 fs/gfs2/ops fstype.c:611 gfs2 fill super+0xe5c/0x1240 fs/gfs2/ops fstype.c:1265

Quota leak backtrace (gfs2 make fs rw failure): unreferenced object 0xffff88812de7c000 (size 8192): gfs2 quota init+0xe5/0x820 fs/gfs2/quota.c:1409 gfs2 make fs rw+0x7a/0xe0 fs/gfs2/super.c:149 gfs2 fill super+0xfbb/0x1240 fs/gfs2/ops fstype.c:1275