CVE-2026-23233

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to avoid mapping wrong physical block for swapfile<br /> <br /> Xiaolong Guo reported a f2fs bug in bugzilla [1]<br /> <br /> [1] https://bugzilla.kernel.org/show_bug.cgi?id=220951<br /> <br /> Quoted:<br /> <br /> "When using stress-ng&amp;#39;s swap stress test on F2FS filesystem with kernel 6.6+,<br /> the system experiences data corruption leading to either:<br /> 1 dm-verity corruption errors and device reboot<br /> 2 F2FS node corruption errors and boot hangs<br /> <br /> The issue occurs specifically when:<br /> 1 Using F2FS filesystem (ext4 is unaffected)<br /> 2 Swapfile size is less than F2FS section size (2MB)<br /> 3 Swapfile has fragmented physical layout (multiple non-contiguous extents)<br /> 4 Kernel version is 6.6+ (6.1 is unaffected)<br /> <br /> The root cause is in check_swap_activate() function in fs/f2fs/data.c. When the<br /> first extent of a small swapfile (main_blkaddr) % blks_per_sec ||<br /> nr_pblocks % blks_per_sec ||<br /> !f2fs_valid_pinned_area(sbi, pblock)) {<br /> bool last_extent = false;<br /> <br /> not_aligned++;<br /> <br /> nr_pblocks = roundup(nr_pblocks, blks_per_sec);<br /> if (cur_lblock + nr_pblocks &gt; sis-&gt;max)<br /> nr_pblocks -= blks_per_sec;<br /> <br /> /* this extent is last one */<br /> if (!nr_pblocks) {<br /> nr_pblocks = last_lblock - cur_lblock;<br /> last_extent = true;<br /> }<br /> <br /> ret = f2fs_migrate_blocks(inode, cur_lblock, nr_pblocks);<br /> if (ret) {<br /> if (ret == -ENOENT)<br /> ret = -EINVAL;<br /> goto out;<br /> }<br /> <br /> if (!last_extent)<br /> goto retry;<br /> }<br /> <br /> When the first extent is unaligned and roundup(nr_pblocks, blks_per_sec)<br /> exceeds sis-&gt;max, we subtract blks_per_sec resulting in nr_pblocks = 0. The<br /> code then incorrectly assumes this is the last extent, sets nr_pblocks =<br /> last_lblock - cur_lblock (entire swapfile), and performs migration. After<br /> migration, it doesn&amp;#39;t retry mapping, so subsequent extents are never processed.<br /> "<br /> <br /> In order to fix this issue, we need to lookup block mapping info after<br /> we migrate all blocks in the tail of swapfile.