CVE-2026-46005
Description
In the Linux kernel, the following vulnerability has been resolved:
xfs: fix a resource leak in xfs_alloc_buftarg()
In the error path, call fs_put_dax() to drop the DAX device reference.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A resource leak in the XFS filesystem's xfs_alloc_buftarg() function causes a missing fs_put_dax() call on error, leading to a DAX device reference leak.
Vulnerability
In the Linux kernel, the function xfs_alloc_buftarg() fails to release a DAX device reference via fs_put_dax() on its error path. This affects the XFS filesystem implementation. The bug exists in various stable kernel versions up to the point of the fix (commit 82fb9da6477d08bdab954dc7bc081a41f2f9cae6). [1]
Exploitation
An attacker requires local access to the system and the ability to trigger the error condition in xfs_alloc_buftarg(), likely by mounting an XFS filesystem on a DAX-capable device in a way that causes allocation failure. No special authentication beyond normal user access to trigger mount operations is required; the exploitation is local and does not involve network interaction.
Impact
On success, the attacker can cause a resource leak of a DAX device reference. This may lead to resource exhaustion or denial of service (availability impact) over repeated trigger attempts. There is no confidentiality or integrity impact; the bug is purely a resource leak.
Mitigation
The fix was applied in the Linux kernel stable tree via commit 82fb9da6477d08bdab954dc7bc081a41f2f9cae6. [1] Users should update to a kernel version containing this commit. No workaround is documented; the only mitigation is to apply the kernel patch.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
1029a7b2614357xfs: fix a resource leak in xfs_alloc_buftarg()
2 files changed · +2 −2
fs/xfs/xfs_buf.c+1 −1 modifieddiff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c index ee8c3944015a1a..580d40a5ee5797 100644 --- a/fs/xfs/xfs_buf.c +++ b/fs/xfs/xfs_buf.c @@ -1756,6 +1756,7 @@ xfs_alloc_buftarg( return btp; error_free: + fs_put_dax(btp->bt_daxdev, mp); kfree(btp); return ERR_PTR(error); } -- cgit 1.3-korg
fs/xfs/xfs_buf.c+1 −1 modifieddiff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c index ee8c3944015a1a..580d40a5ee5797 100644 --- a/fs/xfs/xfs_buf.c +++ b/fs/xfs/xfs_buf.c @@ -1756,6 +1756,7 @@ xfs_alloc_buftarg( return btp; error_free: + fs_put_dax(btp->bt_daxdev, mp); kfree(btp); return ERR_PTR(error); } -- cgit 1.3-korg
28a6c132b8c6xfs: fix a resource leak in xfs_alloc_buftarg()
2 files changed · +2 −2
fs/xfs/xfs_buf.c+1 −1 modifieddiff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c index 6bcbdc8bf186da..afcdfe317b7e86 100644 --- a/fs/xfs/xfs_buf.c +++ b/fs/xfs/xfs_buf.c @@ -2127,6 +2127,7 @@ xfs_alloc_buftarg( return btp; error_free: + fs_put_dax(btp->bt_daxdev, mp); kfree(btp); return NULL; } -- cgit 1.3-korg
fs/xfs/xfs_buf.c+1 −1 modifieddiff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c index 6bcbdc8bf186da..afcdfe317b7e86 100644 --- a/fs/xfs/xfs_buf.c +++ b/fs/xfs/xfs_buf.c @@ -2127,6 +2127,7 @@ xfs_alloc_buftarg( return btp; error_free: + fs_put_dax(btp->bt_daxdev, mp); kfree(btp); return NULL; } -- cgit 1.3-korg
82fb9da6477dxfs: fix a resource leak in xfs_alloc_buftarg()
2 files changed · +2 −2
fs/xfs/xfs_buf.c+1 −1 modifieddiff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c index 20c1d146af1da7..1181108f807464 100644 --- a/fs/xfs/xfs_buf.c +++ b/fs/xfs/xfs_buf.c @@ -2045,6 +2045,7 @@ error_pcpu: error_lru: list_lru_destroy(&btp->bt_lru); error_free: + fs_put_dax(btp->bt_daxdev, mp); kmem_free(btp); return NULL; } -- cgit 1.3-korg
fs/xfs/xfs_buf.c+1 −1 modifieddiff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c index 20c1d146af1da7..1181108f807464 100644 --- a/fs/xfs/xfs_buf.c +++ b/fs/xfs/xfs_buf.c @@ -2045,6 +2045,7 @@ error_pcpu: error_lru: list_lru_destroy(&btp->bt_lru); error_free: + fs_put_dax(btp->bt_daxdev, mp); kmem_free(btp); return NULL; } -- cgit 1.3-korg
5c293a1e1ef0xfs: fix a resource leak in xfs_alloc_buftarg()
2 files changed · +2 −2
fs/xfs/xfs_buf.c+1 −1 modifieddiff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c index 47edf3041631bb..1ca95ef46a73dc 100644 --- a/fs/xfs/xfs_buf.c +++ b/fs/xfs/xfs_buf.c @@ -1831,6 +1831,7 @@ xfs_alloc_buftarg( return btp; error_free: + fs_put_dax(btp->bt_daxdev, mp); kfree(btp); return ERR_PTR(error); } -- cgit 1.3-korg
fs/xfs/xfs_buf.c+1 −1 modifieddiff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c index 47edf3041631bb..1ca95ef46a73dc 100644 --- a/fs/xfs/xfs_buf.c +++ b/fs/xfs/xfs_buf.c @@ -1831,6 +1831,7 @@ xfs_alloc_buftarg( return btp; error_free: + fs_put_dax(btp->bt_daxdev, mp); kfree(btp); return ERR_PTR(error); } -- cgit 1.3-korg
5804cb507233xfs: fix a resource leak in xfs_alloc_buftarg()
2 files changed · +2 −2
fs/xfs/xfs_buf.c+1 −1 modifieddiff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c index d2f3c50d80e70f..faed2ed587dda4 100644 --- a/fs/xfs/xfs_buf.c +++ b/fs/xfs/xfs_buf.c @@ -1831,6 +1831,7 @@ xfs_alloc_buftarg( return btp; error_free: + fs_put_dax(btp->bt_daxdev, mp); kfree(btp); return ERR_PTR(error); } -- cgit 1.3-korg
fs/xfs/xfs_buf.c+1 −1 modifieddiff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c index d2f3c50d80e70f..faed2ed587dda4 100644 --- a/fs/xfs/xfs_buf.c +++ b/fs/xfs/xfs_buf.c @@ -1831,6 +1831,7 @@ xfs_alloc_buftarg( return btp; error_free: + fs_put_dax(btp->bt_daxdev, mp); kfree(btp); return ERR_PTR(error); } -- cgit 1.3-korg
82fb9da6477dxfs: fix a resource leak in xfs_alloc_buftarg()
2 files changed · +2 −2
fs/xfs/xfs_buf.c+1 −1 modifieddiff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c index 20c1d146af1da7..1181108f807464 100644 --- a/fs/xfs/xfs_buf.c +++ b/fs/xfs/xfs_buf.c @@ -2045,6 +2045,7 @@ error_pcpu: error_lru: list_lru_destroy(&btp->bt_lru); error_free: + fs_put_dax(btp->bt_daxdev, mp); kmem_free(btp); return NULL; } -- cgit 1.3-korg
fs/xfs/xfs_buf.c+1 −1 modifieddiff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c index 20c1d146af1da7..1181108f807464 100644 --- a/fs/xfs/xfs_buf.c +++ b/fs/xfs/xfs_buf.c @@ -2045,6 +2045,7 @@ error_pcpu: error_lru: list_lru_destroy(&btp->bt_lru); error_free: + fs_put_dax(btp->bt_daxdev, mp); kmem_free(btp); return NULL; } -- cgit 1.3-korg
5804cb507233xfs: fix a resource leak in xfs_alloc_buftarg()
2 files changed · +2 −2
fs/xfs/xfs_buf.c+1 −1 modifieddiff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c index d2f3c50d80e70f..faed2ed587dda4 100644 --- a/fs/xfs/xfs_buf.c +++ b/fs/xfs/xfs_buf.c @@ -1831,6 +1831,7 @@ xfs_alloc_buftarg( return btp; error_free: + fs_put_dax(btp->bt_daxdev, mp); kfree(btp); return ERR_PTR(error); } -- cgit 1.3-korg
fs/xfs/xfs_buf.c+1 −1 modifieddiff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c index d2f3c50d80e70f..faed2ed587dda4 100644 --- a/fs/xfs/xfs_buf.c +++ b/fs/xfs/xfs_buf.c @@ -1831,6 +1831,7 @@ xfs_alloc_buftarg( return btp; error_free: + fs_put_dax(btp->bt_daxdev, mp); kfree(btp); return ERR_PTR(error); } -- cgit 1.3-korg
5c293a1e1ef0xfs: fix a resource leak in xfs_alloc_buftarg()
2 files changed · +2 −2
fs/xfs/xfs_buf.c+1 −1 modifieddiff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c index 47edf3041631bb..1ca95ef46a73dc 100644 --- a/fs/xfs/xfs_buf.c +++ b/fs/xfs/xfs_buf.c @@ -1831,6 +1831,7 @@ xfs_alloc_buftarg( return btp; error_free: + fs_put_dax(btp->bt_daxdev, mp); kfree(btp); return ERR_PTR(error); } -- cgit 1.3-korg
fs/xfs/xfs_buf.c+1 −1 modifieddiff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c index 47edf3041631bb..1ca95ef46a73dc 100644 --- a/fs/xfs/xfs_buf.c +++ b/fs/xfs/xfs_buf.c @@ -1831,6 +1831,7 @@ xfs_alloc_buftarg( return btp; error_free: + fs_put_dax(btp->bt_daxdev, mp); kfree(btp); return ERR_PTR(error); } -- cgit 1.3-korg
29a7b2614357xfs: fix a resource leak in xfs_alloc_buftarg()
2 files changed · +2 −2
fs/xfs/xfs_buf.c+1 −1 modifieddiff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c index ee8c3944015a1a..580d40a5ee5797 100644 --- a/fs/xfs/xfs_buf.c +++ b/fs/xfs/xfs_buf.c @@ -1756,6 +1756,7 @@ xfs_alloc_buftarg( return btp; error_free: + fs_put_dax(btp->bt_daxdev, mp); kfree(btp); return ERR_PTR(error); } -- cgit 1.3-korg
fs/xfs/xfs_buf.c+1 −1 modifieddiff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c index ee8c3944015a1a..580d40a5ee5797 100644 --- a/fs/xfs/xfs_buf.c +++ b/fs/xfs/xfs_buf.c @@ -1756,6 +1756,7 @@ xfs_alloc_buftarg( return btp; error_free: + fs_put_dax(btp->bt_daxdev, mp); kfree(btp); return ERR_PTR(error); } -- cgit 1.3-korg
28a6c132b8c6xfs: fix a resource leak in xfs_alloc_buftarg()
2 files changed · +2 −2
fs/xfs/xfs_buf.c+1 −1 modifieddiff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c index 6bcbdc8bf186da..afcdfe317b7e86 100644 --- a/fs/xfs/xfs_buf.c +++ b/fs/xfs/xfs_buf.c @@ -2127,6 +2127,7 @@ xfs_alloc_buftarg( return btp; error_free: + fs_put_dax(btp->bt_daxdev, mp); kfree(btp); return NULL; } -- cgit 1.3-korg
fs/xfs/xfs_buf.c+1 −1 modifieddiff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c index 6bcbdc8bf186da..afcdfe317b7e86 100644 --- a/fs/xfs/xfs_buf.c +++ b/fs/xfs/xfs_buf.c @@ -2127,6 +2127,7 @@ xfs_alloc_buftarg( return btp; error_free: + fs_put_dax(btp->bt_daxdev, mp); kfree(btp); return NULL; } -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing fs_put_dax() call in the error path of xfs_alloc_buftarg() causes a DAX device reference leak."
Attack vector
An attacker cannot directly trigger this bug from userspace; it is a resource leak that occurs during XFS mount initialization when `xfs_alloc_buftarg()` encounters an error after successfully obtaining a DAX device reference. Repeated mount attempts that hit this error path will leak DAX references, potentially exhausting kernel resources and leading to denial of service.
Affected code
The vulnerability resides in the `xfs_alloc_buftarg()` function in `fs/xfs/xfs_buf.c`. The `error_free` label path frees the `btp` structure but does not release the DAX device reference held in `btp->bt_daxdev` before returning.
What the fix does
The patch adds a single call to `fs_put_dax(btp->bt_daxdev, mp)` in the `error_free` label, before `kfree(btp)` (or `kmem_free(btp)` in backport variants). This ensures that the DAX device reference acquired earlier in the function is properly released when the buffer target allocation fails, preventing the reference from being leaked.
Preconditions
- configThe XFS filesystem must be configured to use a DAX-capable device (e.g., a pmem namespace in fsdax mode).
- inputThe xfs_alloc_buftarg() function must fail after it has successfully obtained a DAX device reference via fs_dax_get_by_bdev() or similar.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/28a6c132b8c6e5eeefa889c4fb43d65b12989d48nvd
- git.kernel.org/stable/c/29a7b2614357393b176ef06ba5bc3ff5afc8df69nvd
- git.kernel.org/stable/c/5804cb507233ed767a83ac70527b2f6c4566ec75nvd
- git.kernel.org/stable/c/5c293a1e1ef0f838772d20ae8afae4cbd87cd3f9nvd
- git.kernel.org/stable/c/82fb9da6477d08bdab954dc7bc081a41f2f9cae6nvd
News mentions
0No linked articles in our index yet.