CVE-2026-23267

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes

During SPO tests, when mounting F2FS, an -EINVAL error was returned from f2fsrecoverinode_page. The issue occurred under the following scenario

Thread A Thread B f2fsioccommitatomicwrite - f2fsdosyncfile // atomic = true - f2fsfsyncnodepages : lastfolio = inode folio : schedule before foliolock(lastfolio) f2fswritecheckpoint - blockoperations// writeback lastfolio - schedule before f2fsflushnatentries : setfsyncmark(lastfolio, 1) : setdentrymark(lastfolio, 1) : foliomarkdirty(last_folio) - _writenodefolio(lastfolio) : f2fsdownread(&sbi->nodewrite)//block - f2fsflushnatentries : {struct natentry}->flag |= BIT(ISCHECKPOINTED) - unblockoperations : f2fsupwrite(&sbi->nodewrite) f2fswritecheckpoint//return : f2fsdowritenodepage() f2fsioccommitatomicwrite//return SPO

Thread A calls f2fsneeddentrymark(sbi, ino), and the lastfolio has already been written once. However, the {struct natentry}->flag did not have the ISCHECKPOINTED set, causing setdentrymark(lastfolio, 1) and write lastfolio again after Thread B finishes f2fswritecheckpoint.

After SPO and reboot, it was detected that {struct nodeinfo}->blkaddr was not NULL_ADDR because Thread B successfully write the checkpoint.

This issue only occurs in atomic write scenarios. For regular file fsync operations, the folio must be dirty. If blockoperations->f2fssyncnodepages successfully submit the folio write, this path will not be executed. Otherwise, the f2fswritecheckpoint will need to wait for the folio write submission to complete, as sbi->nrpages[F2FSDIRTYNODES] > 0. Therefore, the situation where f2fsneeddentrymark checks that the {struct natentry}->flag /wo the ISCHECKPOINTED flag, but the folio write has already been submitted, will not occur.

Therefore, for atomic file fsync, sbi->node_write should be acquired through _writenodefolio to ensure that the ISCHECKPOINTED flag correctly indicates that the checkpoint write has been completed.