CVE-2026-23267

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes<br /> <br /> During SPO tests, when mounting F2FS, an -EINVAL error was returned from<br /> f2fs_recover_inode_page. The issue occurred under the following scenario<br /> <br /> Thread A Thread B<br /> f2fs_ioc_commit_atomic_write<br /> - f2fs_do_sync_file // atomic = true<br /> - f2fs_fsync_node_pages<br /> : last_folio = inode folio<br /> : schedule before folio_lock(last_folio) f2fs_write_checkpoint<br /> - block_operations// writeback last_folio<br /> - schedule before f2fs_flush_nat_entries<br /> : set_fsync_mark(last_folio, 1)<br /> : set_dentry_mark(last_folio, 1)<br /> : folio_mark_dirty(last_folio)<br /> - __write_node_folio(last_folio)<br /> : f2fs_down_read(&amp;sbi-&gt;node_write)//block<br /> - f2fs_flush_nat_entries<br /> : {struct nat_entry}-&gt;flag |= BIT(IS_CHECKPOINTED)<br /> - unblock_operations<br /> : f2fs_up_write(&amp;sbi-&gt;node_write)<br /> f2fs_write_checkpoint//return<br /> : f2fs_do_write_node_page()<br /> f2fs_ioc_commit_atomic_write//return<br /> SPO<br /> <br /> Thread A calls f2fs_need_dentry_mark(sbi, ino), and the last_folio has<br /> already been written once. However, the {struct nat_entry}-&gt;flag did not<br /> have the IS_CHECKPOINTED set, causing set_dentry_mark(last_folio, 1) and<br /> write last_folio again after Thread B finishes f2fs_write_checkpoint.<br /> <br /> After SPO and reboot, it was detected that {struct node_info}-&gt;blk_addr<br /> was not NULL_ADDR because Thread B successfully write the checkpoint.<br /> <br /> This issue only occurs in atomic write scenarios. For regular file<br /> fsync operations, the folio must be dirty. If<br /> block_operations-&gt;f2fs_sync_node_pages successfully submit the folio<br /> write, this path will not be executed. Otherwise, the<br /> f2fs_write_checkpoint will need to wait for the folio write submission<br /> to complete, as sbi-&gt;nr_pages[F2FS_DIRTY_NODES] &gt; 0. Therefore, the<br /> situation where f2fs_need_dentry_mark checks that the {struct<br /> nat_entry}-&gt;flag /wo the IS_CHECKPOINTED flag, but the folio write has<br /> already been submitted, will not occur.<br /> <br /> Therefore, for atomic file fsync, sbi-&gt;node_write should be acquired<br /> through __write_node_folio to ensure that the IS_CHECKPOINTED flag<br /> correctly indicates that the checkpoint write has been completed.