Home

Description

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes During SPO tests, when mounting F2FS, an -EINVAL error was returned from f2fs_recover_inode_page. The issue occurred under the following scenario Thread A Thread B f2fs_ioc_commit_atomic_write - f2fs_do_sync_file // atomic = true - f2fs_fsync_node_pages : last_folio = inode folio : schedule before folio_lock(last_folio) f2fs_write_checkpoint - block_operations// writeback last_folio - schedule before f2fs_flush_nat_entries : set_fsync_mark(last_folio, 1) : set_dentry_mark(last_folio, 1) : folio_mark_dirty(last_folio) - __write_node_folio(last_folio) : f2fs_down_read(&sbi->node_write)//block - f2fs_flush_nat_entries : {struct nat_entry}->flag |= BIT(IS_CHECKPOINTED) - unblock_operations : f2fs_up_write(&sbi->node_write) f2fs_write_checkpoint//return : f2fs_do_write_node_page() f2fs_ioc_commit_atomic_write//return SPO Thread A calls f2fs_need_dentry_mark(sbi, ino), and the last_folio has already been written once. However, the {struct nat_entry}->flag did not have the IS_CHECKPOINTED set, causing set_dentry_mark(last_folio, 1) and write last_folio again after Thread B finishes f2fs_write_checkpoint. After SPO and reboot, it was detected that {struct node_info}->blk_addr was not NULL_ADDR because Thread B successfully write the checkpoint. This issue only occurs in atomic write scenarios. For regular file fsync operations, the folio must be dirty. If block_operations->f2fs_sync_node_pages successfully submit the folio write, this path will not be executed. Otherwise, the f2fs_write_checkpoint will need to wait for the folio write submission to complete, as sbi->nr_pages[F2FS_DIRTY_NODES] > 0. Therefore, the situation where f2fs_need_dentry_mark checks that the {struct nat_entry}->flag /wo the IS_CHECKPOINTED flag, but the folio write has already been submitted, will not occur. Therefore, for atomic file fsync, sbi->node_write should be acquired through __write_node_folio to ensure that the IS_CHECKPOINTED flag correctly indicates that the checkpoint write has been completed.

PUBLISHED Reserved 2026-01-13 | Published 2026-03-18 | Updated 2026-04-13 | Assigner Linux

Product status

Default status
unaffected

608514deba38c8611ad330d6a3c8e2b9a1f68e4b (git) before 32bc3c9fe18881d50dd51fd5f26d19fe1190dc0d
affected

608514deba38c8611ad330d6a3c8e2b9a1f68e4b (git) before 75e19da068adf0dc5dd269dd157392434b9117d4
affected

608514deba38c8611ad330d6a3c8e2b9a1f68e4b (git) before 962c167b0f262b9962207fbeaa531721d55ea00e
affected

608514deba38c8611ad330d6a3c8e2b9a1f68e4b (git) before bd66b4c487d5091d2a65d6089e0de36f0c26a4c7
affected

608514deba38c8611ad330d6a3c8e2b9a1f68e4b (git) before ed81bc5885460905f9160e7b463e5708fd056324
affected

608514deba38c8611ad330d6a3c8e2b9a1f68e4b (git) before 7633a7387eb4d0259d6bea945e1d3469cd135bbc
affected

Default status
affected

4.7
affected

Any version before 4.7
unaffected

6.1.164 (semver)
unaffected

6.6.127 (semver)
unaffected

6.12.74 (semver)
unaffected

6.18.13 (semver)
unaffected

6.19.3 (semver)
unaffected

7.0 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/32bc3c9fe18881d50dd51fd5f26d19fe1190dc0d

git.kernel.org/...c/75e19da068adf0dc5dd269dd157392434b9117d4

git.kernel.org/...c/962c167b0f262b9962207fbeaa531721d55ea00e

git.kernel.org/...c/bd66b4c487d5091d2a65d6089e0de36f0c26a4c7

git.kernel.org/...c/ed81bc5885460905f9160e7b463e5708fd056324

git.kernel.org/...c/7633a7387eb4d0259d6bea945e1d3469cd135bbc

cve.org (CVE-2026-23267)

nvd.nist.gov (CVE-2026-23267)

Download JSON