GHSA-FJRM-VJGQ-9RP6

Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-05-28 12:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix node_cnt race between extent node destroy and writeback

f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows:

drop inode writeback - iput - f2fs_drop_inode // I_SYNC set - f2fs_destroy_extent_node - __destroy_extent_node - while (node_cnt) { write_lock(&et->lock) __free_extent_tree write_unlock(&et->lock) - __writeback_single_inode - f2fs_outplace_write_data - f2fs_update_read_extent_cache - __update_extent_tree_range // FI_NO_EXTENT not set, // insert new extent node } // node_cnt == 0, exit while - f2fs_bug_on(node_cnt) // node_cnt > 0

Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.

This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2026-46194"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T10:16:35Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix node_cnt race between extent node destroy and writeback\n\nf2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing\nextent nodes. When called from f2fs_drop_inode() with I_SYNC set,\nconcurrent kworker writeback can insert new extent nodes into the same\nextent tree, racing with the destroy and triggering f2fs_bug_on() in\n__destroy_extent_node(). The scenario is as follows:\n\ndrop inode                            writeback\n - iput\n  - f2fs_drop_inode  // I_SYNC set\n   - f2fs_destroy_extent_node\n    - __destroy_extent_node\n     - while (node_cnt) {\n        write_lock(\u0026et-\u003elock)\n        __free_extent_tree\n        write_unlock(\u0026et-\u003elock)\n                                       - __writeback_single_inode\n                                        - f2fs_outplace_write_data\n                                         - f2fs_update_read_extent_cache\n                                          - __update_extent_tree_range\n                                           // FI_NO_EXTENT not set,\n                                           // insert new extent node\n       } // node_cnt == 0, exit while\n     - f2fs_bug_on(node_cnt)  // node_cnt \u003e 0\n\nAdditionally, __update_extent_tree_range() only checks FI_NO_EXTENT for\nEX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.\n\nThis patch set FI_NO_EXTENT under et-\u003elock in __destroy_extent_node(),\nconsistent with other callers (__update_extent_tree_range and\n__drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and\nEX_BLOCK_AGE tree.",
  "id": "GHSA-fjrm-vjgq-9rp6",
  "modified": "2026-05-28T12:30:32Z",
  "published": "2026-05-28T12:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46194"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0559a0e962aacbb47519e26ee663be04b72dcb92"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/42dd1c91f993431d0b399502479d00e6ad1bca71"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ab1eaf9d5c99042f5b0243bf67a06283a4c0757f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b0e4395870eb3441ddc959f6710b5f6ca61aff26"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ed78aeebef05212ef7dca93bd931e4eff67c113f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.