CVE-2026-46194
EUVD-2026-3282128.05.2026, 10:16
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix node_cnt race between extent node destroy and writeback
f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing
extent nodes. When called from f2fs_drop_inode() with I_SYNC set,
concurrent kworker writeback can insert new extent nodes into the same
extent tree, racing with the destroy and triggering f2fs_bug_on() in
__destroy_extent_node(). The scenario is as follows:
drop inode writeback
- iput
- f2fs_drop_inode // I_SYNC set
- f2fs_destroy_extent_node
- __destroy_extent_node
- while (node_cnt) {
write_lock(&et->lock)
__free_extent_tree
write_unlock(&et->lock)
- __writeback_single_inode
- f2fs_outplace_write_data
- f2fs_update_read_extent_cache
- __update_extent_tree_range
// FI_NO_EXTENT not set,
// insert new extent node
} // node_cnt == 0, exit while
- f2fs_bug_on(node_cnt) // node_cnt > 0
Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for
EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.
This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(),
consistent with other callers (__update_extent_tree_range and
__drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and
EX_BLOCK_AGE tree.Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 6.6.66 ≤ 𝑥 < 6.6.140 |
| linux | linux_kernel | 6.12.5 ≤ 𝑥 < 6.12.88 |
| linux | linux_kernel | 6.13 ≤ 𝑥 < 6.18.30 |
| linux | linux_kernel | 6.19 ≤ 𝑥 < 7.0.7 |
𝑥
= Vulnerable software versions
Debian Releases
Vulnerability Media Exposure
References