CVE-2026-23267

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix IS CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes

During SPO tests, when mounting F2FS, an -EINVAL error was returned from f2fs recover inode page. The issue occurred under the following scenario

Thread A Thread B f2fs ioc commit atomic write

Thread A calls f2fs need dentry mark(sbi, ino), and the last folio has already been written once. However, the {struct nat entry}->flag did not have the IS CHECKPOINTED set, causing set dentry mark(last folio, 1) and write last folio again after Thread B finishes f2fs write checkpoint.

After SPO and reboot, it was detected that {struct node info}->blk addr was not NULL ADDR because Thread B successfully write the checkpoint.

This issue only occurs in atomic write scenarios. For regular file fsync operations, the folio must be dirty. If block operations->f2fs sync node pages successfully submit the folio write, this path will not be executed. Otherwise, the f2fs write checkpoint will need to wait for the folio write submission to complete, as sbi->nr pages[F2FS DIRTY NODES] > 0. Therefore, the situation where f2fs need dentry mark checks that the {struct nat entry}->flag /wo the IS CHECKPOINTED flag, but the folio write has already been submitted, will not occur.

Therefore, for atomic file fsync, sbi->node write should be acquired through write node folio to ensure that the IS CHECKPOINTED flag correctly indicates that the checkpoint write has been completed.