f2fs: fix node_cnt race between extent node destroy and writeback
Summary
| CVE | CVE-2026-46194 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-28 10:16:35 UTC |
| Updated | 2026-05-28 13:44:01 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix node_cnt race between extent node destroy and writeback f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows: drop inode writeback - iput - f2fs_drop_inode // I_SYNC set - f2fs_destroy_extent_node - __destroy_extent_node - while (node_cnt) { write_lock(&et->lock) __free_extent_tree write_unlock(&et->lock) - __writeback_single_inode - f2fs_outplace_write_data - f2fs_update_read_extent_cache - __update_extent_tree_range // FI_NO_EXTENT not set, // insert new extent node } // node_cnt == 0, exit while - f2fs_bug_on(node_cnt) // node_cnt > 0 Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected. This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree. |
Risk And Classification
EPSS: 0.000180000 probability, percentile 0.051520000 (date 2026-05-28)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 295b50e95e900da31ff237e46e04525fa799b2cf 42dd1c91f993431d0b399502479d00e6ad1bca71 git | Not specified |
| CNA | Linux | Linux | affected 924f7dd1e832e4e4530d14711db223d2803f7b61 ab1eaf9d5c99042f5b0243bf67a06283a4c0757f git | Not specified |
| CNA | Linux | Linux | affected 3fc5d5a182f6a1f8bd4dc775feb54c369dd2c343 b0e4395870eb3441ddc959f6710b5f6ca61aff26 git | Not specified |
| CNA | Linux | Linux | affected 3fc5d5a182f6a1f8bd4dc775feb54c369dd2c343 0559a0e962aacbb47519e26ee663be04b72dcb92 git | Not specified |
| CNA | Linux | Linux | affected 3fc5d5a182f6a1f8bd4dc775feb54c369dd2c343 ed78aeebef05212ef7dca93bd931e4eff67c113f git | Not specified |
| CNA | Linux | Linux | affected 6.6.66 6.6.140 semver | Not specified |
| CNA | Linux | Linux | affected 6.12.5 6.12.88 semver | Not specified |
| CNA | Linux | Linux | affected 6.13 | Not specified |
| CNA | Linux | Linux | unaffected 6.13 semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.140 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.88 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.30 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.7 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1-rc1 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/ab1eaf9d5c99042f5b0243bf67a06283a4c0757f | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/ed78aeebef05212ef7dca93bd931e4eff67c113f | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/0559a0e962aacbb47519e26ee663be04b72dcb92 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/42dd1c91f993431d0b399502479d00e6ad1bca71 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/b0e4395870eb3441ddc959f6710b5f6ca61aff26 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.