FKIE_CVE-2026-46194

Vulnerability from fkie_nvd - Published: 2026-05-28 10:16 - Updated: 2026-05-28 13:44
Severity
Summary
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix node_cnt race between extent node destroy and writeback f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows: drop inode writeback - iput - f2fs_drop_inode // I_SYNC set - f2fs_destroy_extent_node - __destroy_extent_node - while (node_cnt) { write_lock(&et->lock) __free_extent_tree write_unlock(&et->lock) - __writeback_single_inode - f2fs_outplace_write_data - f2fs_update_read_extent_cache - __update_extent_tree_range // FI_NO_EXTENT not set, // insert new extent node } // node_cnt == 0, exit while - f2fs_bug_on(node_cnt) // node_cnt > 0 Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected. This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0559a0e962aacbb47519e26ee663be04b72dcb92
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/42dd1c91f993431d0b399502479d00e6ad1bca71
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ab1eaf9d5c99042f5b0243bf67a06283a4c0757f
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b0e4395870eb3441ddc959f6710b5f6ca61aff26
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ed78aeebef05212ef7dca93bd931e4eff67c113f
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix node_cnt race between extent node destroy and writeback\n\nf2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing\nextent nodes. When called from f2fs_drop_inode() with I_SYNC set,\nconcurrent kworker writeback can insert new extent nodes into the same\nextent tree, racing with the destroy and triggering f2fs_bug_on() in\n__destroy_extent_node(). The scenario is as follows:\n\ndrop inode                            writeback\n - iput\n  - f2fs_drop_inode  // I_SYNC set\n   - f2fs_destroy_extent_node\n    - __destroy_extent_node\n     - while (node_cnt) {\n        write_lock(\u0026et-\u003elock)\n        __free_extent_tree\n        write_unlock(\u0026et-\u003elock)\n                                       - __writeback_single_inode\n                                        - f2fs_outplace_write_data\n                                         - f2fs_update_read_extent_cache\n                                          - __update_extent_tree_range\n                                           // FI_NO_EXTENT not set,\n                                           // insert new extent node\n       } // node_cnt == 0, exit while\n     - f2fs_bug_on(node_cnt)  // node_cnt \u003e 0\n\nAdditionally, __update_extent_tree_range() only checks FI_NO_EXTENT for\nEX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.\n\nThis patch set FI_NO_EXTENT under et-\u003elock in __destroy_extent_node(),\nconsistent with other callers (__update_extent_tree_range and\n__drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and\nEX_BLOCK_AGE tree."
    }
  ],
  "id": "CVE-2026-46194",
  "lastModified": "2026-05-28T13:44:01.663",
  "metrics": {},
  "published": "2026-05-28T10:16:35.033",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/0559a0e962aacbb47519e26ee663be04b72dcb92"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/42dd1c91f993431d0b399502479d00e6ad1bca71"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ab1eaf9d5c99042f5b0243bf67a06283a4c0757f"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b0e4395870eb3441ddc959f6710b5f6ca61aff26"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ed78aeebef05212ef7dca93bd931e4eff67c113f"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.