CVE-2026-31450

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: publish jinode after initialization<br /> <br /> ext4_inode_attach_jinode() publishes ei-&gt;jinode to concurrent users.<br /> It used to set ei-&gt;jinode before jbd2_journal_init_jbd_inode(),<br /> allowing a reader to observe a non-NULL jinode with i_vfs_inode<br /> still unset.<br /> <br /> The fast commit flush path can then pass this jinode to<br /> jbd2_wait_inode_data(), which dereferences i_vfs_inode-&gt;i_mapping and<br /> may crash.<br /> <br /> Below is the crash I observe:<br /> ```<br /> BUG: unable to handle page fault for address: 000000010beb47f4<br /> PGD 110e51067 P4D 110e51067 PUD 0<br /> Oops: Oops: 0000 [#1] SMP NOPTI<br /> CPU: 1 UID: 0 PID: 4850 Comm: fc_fsync_bench_ Not tainted 6.18.0-00764-g795a690c06a5 #1 PREEMPT(voluntary)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014<br /> RIP: 0010:xas_find_marked+0x3d/0x2e0<br /> Code: e0 03 48 83 f8 02 0f 84 f0 01 00 00 48 8b 47 08 48 89 c3 48 39 c6 0f 82 fd 01 00 00 48 85 c9 74 3d 48 83 f9 03 77 63 4c 8b 0f 8b 71 08 48 c7 47 18 00 00 00 00 48 89 f1 83 e1 03 48 83 f9 02<br /> RSP: 0018:ffffbbee806e7bf0 EFLAGS: 00010246<br /> RAX: 000000000010beb4 RBX: 000000000010beb4 RCX: 0000000000000003<br /> RDX: 0000000000000001 RSI: 0000002000300000 RDI: ffffbbee806e7c10<br /> RBP: 0000000000000001 R08: 0000002000300000 R09: 000000010beb47ec<br /> R10: ffff9ea494590090 R11: 0000000000000000 R12: 0000002000300000<br /> R13: ffffbbee806e7c90 R14: ffff9ea494513788 R15: ffffbbee806e7c88<br /> FS: 00007fc2f9e3e6c0(0000) GS:ffff9ea6b1444000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000000010beb47f4 CR3: 0000000119ac5000 CR4: 0000000000750ef0<br /> PKRU: 55555554<br /> Call Trace:<br /> <br /> filemap_get_folios_tag+0x87/0x2a0<br /> __filemap_fdatawait_range+0x5f/0xd0<br /> ? srso_alias_return_thunk+0x5/0xfbef5<br /> ? __schedule+0x3e7/0x10c0<br /> ? srso_alias_return_thunk+0x5/0xfbef5<br /> ? srso_alias_return_thunk+0x5/0xfbef5<br /> ? srso_alias_return_thunk+0x5/0xfbef5<br /> ? preempt_count_sub+0x5f/0x80<br /> ? srso_alias_return_thunk+0x5/0xfbef5<br /> ? cap_safe_nice+0x37/0x70<br /> ? srso_alias_return_thunk+0x5/0xfbef5<br /> ? preempt_count_sub+0x5f/0x80<br /> ? srso_alias_return_thunk+0x5/0xfbef5<br /> filemap_fdatawait_range_keep_errors+0x12/0x40<br /> ext4_fc_commit+0x697/0x8b0<br /> ? ext4_file_write_iter+0x64b/0x950<br /> ? srso_alias_return_thunk+0x5/0xfbef5<br /> ? preempt_count_sub+0x5f/0x80<br /> ? srso_alias_return_thunk+0x5/0xfbef5<br /> ? vfs_write+0x356/0x480<br /> ? srso_alias_return_thunk+0x5/0xfbef5<br /> ? preempt_count_sub+0x5f/0x80<br /> ext4_sync_file+0xf7/0x370<br /> do_fsync+0x3b/0x80<br /> ? syscall_trace_enter+0x108/0x1d0<br /> __x64_sys_fdatasync+0x16/0x20<br /> do_syscall_64+0x62/0x2c0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> ...<br /> ```<br /> <br /> Fix this by initializing the jbd2_inode first.<br /> Use smp_wmb() and WRITE_ONCE() to publish ei-&gt;jinode after<br /> initialization. Readers use READ_ONCE() to fetch the pointer.