In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix UAF caused by decrementing sbi->nrpages[] in f2fswriteendio()
The xfstests case "generic/107" and syzbot have both reported a NULL pointer dereference.
The concurrent scenario that triggers the panic is as follows:
F2FSWBCPDATA write callback umount - f2fswritecheckpoint - f2fswaitonallpages(sbi, F2FSWBCPDATA) - blkmqendrequest - bioendio - f2fswriteendio : decpagecount(sbi, F2FSWBCPDATA) : wakeup(&sbi->cpwait) - killf2fssuper - killblocksuper - f2fsputsuper : iput(sbi->nodeinode) : sbi->nodeinode = NULL : f2fsinwarmnodelist - isnodefolio // sbi->node_inode is NULL and panic
The root cause is that f2fsputsuper() calls iput(sbi->nodeinode) and sets sbi->nodeinode to NULL after sbi->nrpages[F2FSWBCPDATA] is decremented to zero. As a result, f2fsinwarmnodelist() may dereference a NULL node_inode when checking whether a folio belongs to the node inode, leading to a panic.
This patch fixes the issue by calling f2fsinwarmnodelist() before decrementing sbi->nrpages[F2FSWBCPDATA], thus preventing the use-after-free condition.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31715.json"
}