CVE-2026-46194

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix node_cnt race between extent node destroy and writeback<br /> <br /> f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing<br /> extent nodes. When called from f2fs_drop_inode() with I_SYNC set,<br /> concurrent kworker writeback can insert new extent nodes into the same<br /> extent tree, racing with the destroy and triggering f2fs_bug_on() in<br /> __destroy_extent_node(). The scenario is as follows:<br /> <br /> drop inode writeback<br /> - iput<br /> - f2fs_drop_inode // I_SYNC set<br /> - f2fs_destroy_extent_node<br /> - __destroy_extent_node<br /> - while (node_cnt) {<br /> write_lock(&amp;et-&gt;lock)<br /> __free_extent_tree<br /> write_unlock(&amp;et-&gt;lock)<br /> - __writeback_single_inode<br /> - f2fs_outplace_write_data<br /> - f2fs_update_read_extent_cache<br /> - __update_extent_tree_range<br /> // FI_NO_EXTENT not set,<br /> // insert new extent node<br /> } // node_cnt == 0, exit while<br /> - f2fs_bug_on(node_cnt) // node_cnt &gt; 0<br /> <br /> Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for<br /> EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.<br /> <br /> This patch set FI_NO_EXTENT under et-&gt;lock in __destroy_extent_node(),<br /> consistent with other callers (__update_extent_tree_range and<br /> __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and<br /> EX_BLOCK_AGE tree.