CVE-2026-46194

Summary

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix node_cnt race between extent node destroy and writeback

f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows:

drop inode writeback

  • iput
  • f2fs_drop_inode // I_SYNC set
  • f2fs_destroy_extent_node - __destroy_extent_node
    • while (node_cnt) { write_lock(&et->lock) __free_extent_tree write_unlock(&et->lock) - __writeback_single_inode - f2fs_outplace_write_data - f2fs_update_read_extent_cache - __update_extent_tree_range // FI_NO_EXTENT not set, // insert new extent node } // node_cnt == 0, exit while
    • f2fs_bug_on(node_cnt) // node_cnt > 0

Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.

This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux295b50e95e900da31ff237e46e04525fa799b2cf < 42dd1c91f993431d0b399502479d00e6ad1bca71affected
LinuxLinux924f7dd1e832e4e4530d14711db223d2803f7b61 < ab1eaf9d5c99042f5b0243bf67a06283a4c0757faffected
LinuxLinux3fc5d5a182f6a1f8bd4dc775feb54c369dd2c343 < b0e4395870eb3441ddc959f6710b5f6ca61aff26affected
LinuxLinux3fc5d5a182f6a1f8bd4dc775feb54c369dd2c343 < 0559a0e962aacbb47519e26ee663be04b72dcb92affected
LinuxLinux3fc5d5a182f6a1f8bd4dc775feb54c369dd2c343 < ed78aeebef05212ef7dca93bd931e4eff67c113faffected
LinuxLinux6.6.66 < 6.6.140affected
LinuxLinux6.12.5 < 6.12.88affected
LinuxLinux6.13affected
LinuxLinux0 < 6.13unaffected
LinuxLinux6.6.140 <= 6.6.*unaffected
LinuxLinux6.12.88 <= 6.12.*unaffected
LinuxLinux6.18.30 <= 6.18.*unaffected
LinuxLinux7.0.7 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References