-
CVE-2026-23267
- EPSS 0.04%
- Veröffentlicht 18.03.2026 17:46:09
- Zuletzt bearbeitet 19.03.2026 13:25:00
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes
During SPO tests, when mounting F2FS, an -EINVAL error was returned from
f2fs_recover_inode_page. The issue occurred under the following scenario
Thread A Thread B
f2fs_ioc_commit_atomic_write
- f2fs_do_sync_file // atomic = true
- f2fs_fsync_node_pages
: last_folio = inode folio
: schedule before folio_lock(last_folio) f2fs_write_checkpoint
- block_operations// writeback last_folio
- schedule before f2fs_flush_nat_entries
: set_fsync_mark(last_folio, 1)
: set_dentry_mark(last_folio, 1)
: folio_mark_dirty(last_folio)
- __write_node_folio(last_folio)
: f2fs_down_read(&sbi->node_write)//block
- f2fs_flush_nat_entries
: {struct nat_entry}->flag |= BIT(IS_CHECKPOINTED)
- unblock_operations
: f2fs_up_write(&sbi->node_write)
f2fs_write_checkpoint//return
: f2fs_do_write_node_page()
f2fs_ioc_commit_atomic_write//return
SPO
Thread A calls f2fs_need_dentry_mark(sbi, ino), and the last_folio has
already been written once. However, the {struct nat_entry}->flag did not
have the IS_CHECKPOINTED set, causing set_dentry_mark(last_folio, 1) and
write last_folio again after Thread B finishes f2fs_write_checkpoint.
After SPO and reboot, it was detected that {struct node_info}->blk_addr
was not NULL_ADDR because Thread B successfully write the checkpoint.
This issue only occurs in atomic write scenarios. For regular file
fsync operations, the folio must be dirty. If
block_operations->f2fs_sync_node_pages successfully submit the folio
write, this path will not be executed. Otherwise, the
f2fs_write_checkpoint will need to wait for the folio write submission
to complete, as sbi->nr_pages[F2FS_DIRTY_NODES] > 0. Therefore, the
situation where f2fs_need_dentry_mark checks that the {struct
nat_entry}->flag /wo the IS_CHECKPOINTED flag, but the folio write has
already been submitted, will not occur.
Therefore, for atomic file fsync, sbi->node_write should be acquired
through __write_node_folio to ensure that the IS_CHECKPOINTED flag
correctly indicates that the checkpoint write has been completed.Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
≫
Produkt
Linux
Default Statusunaffected
Version
608514deba38c8611ad330d6a3c8e2b9a1f68e4b
Version <
32bc3c9fe18881d50dd51fd5f26d19fe1190dc0d
Status
affected
Version
608514deba38c8611ad330d6a3c8e2b9a1f68e4b
Version <
75e19da068adf0dc5dd269dd157392434b9117d4
Status
affected
Version
608514deba38c8611ad330d6a3c8e2b9a1f68e4b
Version <
962c167b0f262b9962207fbeaa531721d55ea00e
Status
affected
Version
608514deba38c8611ad330d6a3c8e2b9a1f68e4b
Version <
bd66b4c487d5091d2a65d6089e0de36f0c26a4c7
Status
affected
Version
608514deba38c8611ad330d6a3c8e2b9a1f68e4b
Version <
ed81bc5885460905f9160e7b463e5708fd056324
Status
affected
Version
608514deba38c8611ad330d6a3c8e2b9a1f68e4b
Version <
7633a7387eb4d0259d6bea945e1d3469cd135bbc
Status
affected
HerstellerLinux
≫
Produkt
Linux
Default Statusaffected
Version
4.7
Status
affected
Version
0
Version <
4.7
Status
unaffected
Version <=
6.1.*
Version
6.1.164
Status
unaffected
Version <=
6.6.*
Version
6.6.127
Status
unaffected
Version <=
6.12.*
Version
6.12.74
Status
unaffected
Version <=
6.18.*
Version
6.18.13
Status
unaffected
Version <=
6.19.*
Version
6.19.3
Status
unaffected
Version <=
*
Version
7.0
Status
unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.04% | 0.102 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|