DEBIAN-CVE-2026-23224

In the Linux kernel, the following vulnerability has been resolved: erofs: fix UAF issue for file-backed mounts w/ directio option [ 9.269940][ T3222] Call trace: [ 9.269948][ T3222] ext4filereaditer+0xac/0x108 [ 9.269979][ T3222] vfsiocbiterread+0xac/0x198 [ 9.269993][ T3222] erofsfileiorqsubmit+0x12c/0x180 [ 9.270008][ T3222] erofsfileiosubmitbio+0x14/0x24 [ 9.270030][ T3222] zerofsrunqueue+0x834/0x8ac [ 9.270054][ T3222] zerofsreadfolio+0x120/0x220 [ 9.270083][ T3222] filemapreadfolio+0x60/0x120 [ 9.270102][ T3222] filemapfault+0xcac/0x1060 [ 9.270119][ T3222] doptemissing+0x2d8/0x1554 [ 9.270131][ T3222] handlemmfault+0x5ec/0x70c [ 9.270142][ T3222] dopagefault+0x178/0x88c [ 9.270167][ T3222] dotranslationfault+0x38/0x54 [ 9.270183][ T3222] domemabort+0x54/0xac [ 9.270208][ T3222] el0da+0x44/0x7c [ 9.270227][ T3222] el0t64synchandler+0x5c/0xf4 [ 9.270253][ T3222] el0t64sync+0x1bc/0x1c0 EROFS may encounter above panic when enabling file-backed mount w/ directio mount option, the root cause is it may suffer UAF in below race condition: - zerofsreadfolio wq sdiodonewq - zerofsrunqueue - erofsfileiosubmitbio - erofsfileiorqsubmit - vfsiocbiterread - ext4filereaditer - ext4dioreaditer - iomapdiorw : bio was submitted and return -EIOCBQUEUED - dioaiocompletework - diocomplete - dio->iocb->kicomplete (erofsfileiokicomplete()) - kfree(rq) : it frees iocb, iocb.kifilp can be UAF in fileaccessed(). - fileaccessed : access NULL file point Introduce a reference count in struct erofsfileiorq, and initialize it as two, both erofsfileiokicomplete() and erofsfileiorqsubmit() will decrease reference count, the last one decreasing the reference count to zero will free rq.