CVE-2026-23234

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to avoid UAF in f2fs_write_end_io()<br /> <br /> As syzbot reported an use-after-free issue in f2fs_write_end_io().<br /> <br /> It is caused by below race condition:<br /> <br /> loop device umount<br /> - worker_thread<br /> - loop_process_work<br /> - do_req_filebacked<br /> - lo_rw_aio<br /> - lo_rw_aio_complete<br /> - blk_mq_end_request<br /> - blk_update_request<br /> - f2fs_write_end_io<br /> - dec_page_count<br /> - folio_end_writeback<br /> - kill_f2fs_super<br /> - kill_block_super<br /> - f2fs_put_super<br /> : free(sbi)<br /> : get_pages(, F2FS_WB_CP_DATA)<br /> accessed sbi which is freed<br /> <br /> In kill_f2fs_super(), we will drop all page caches of f2fs inodes before<br /> call free(sbi), it guarantee that all folios should end its writeback, so<br /> it should be safe to access sbi before last folio_end_writeback().<br /> <br /> Let&amp;#39;s relocate ckpt thread wakeup flow before folio_end_writeback() to<br /> resolve this issue.