In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix use-after-free of sbi in f2fscompresswriteendio()
In f2fscompresswriteendio(), decpagecount(sbi, type) can bring the F2FSWBCPDATA counter to zero, unblocking f2fswaitonallpages() in f2fsputsuper() on a concurrent unmount CPU. The unmount path then proceeds to call f2fsdestroypagearraycache(sbi), which destroys sbi->pagearrayslab via kmemcachedestroy(), and eventually kfree(sbi). Meanwhile, the bio completion callback is still executing: when it reaches pagearrayfree(sbi, ...), it dereferences sbi->pagearrayslab — a destroyed slab cache — to call kmemcache_free(), causing a use-after-free.
This is the same class of bug as CVE-2026-23234 (which fixed the equivalent race in f2fswriteend_io() in data.c), but in the compressed writeback completion path that was not covered by that fix.
Fix this by moving decpagecount() to after pagearrayfree(), so that all sbi accesses complete before the counter decrement that can unblock unmount. For non-last folios (where atomicdecreturn on cic->pendingpages is nonzero), decpagecount is called immediately before returning — pagearrayfree is not reached on this path, so there is no post-decrement sbi access. For the last folio, pagearrayfree runs while the F2FSWBCPDATA counter is still nonzero (this folio has not yet decremented it), keeping sbi alive, and decpagecount runs as the final operation.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31702.json"
}