In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix node_cnt race between extent node destroy and writeback
f2fsdestroyextentnode() does not set FINOEXTENT before clearing extent nodes. When called from f2fsdropinode() with ISYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fsbugon() in __destroyextentnode(). The scenario is as follows:
drop inode writeback - iput - f2fsdropinode // ISYNC set - f2fsdestroyextentnode - __destroyextentnode - while (nodecnt) { writelock(&et->lock) __freeextenttree write_unlock(&et->lock) - __writebacksingleinode - f2fsoutplacewritedata - f2fsupdatereadextent_cache - __updateextenttreerange // FINOEXTENT not set, // insert new extent node } // nodecnt == 0, exit while - f2fsbugon(nodecnt) // nodecnt > 0
Additionally, __updateextenttreerange() only checks FINOEXTENT for EXREAD type, leaving EXBLOCKAGE updates completely unprotected.
This patch set FINOEXTENT under et->lock in __destroyextentnode(), consistent with other callers (__updateextenttree_range and _dropextenttree) and check FINOEXTENT for both EXREAD and EXBLOCKAGE tree.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46194.json",
"cna_assigner": "Linux"
}