Linux Kernel f2fs IS_CHECKPOINTED Flag Inconsistency in Atomic Commit
CVE-2026-23267 Published on March 18, 2026
f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes
During SPO tests, when mounting F2FS, an -EINVAL error was returned from
f2fs_recover_inode_page. The issue occurred under the following scenario
Thread A Thread B
f2fs_ioc_commit_atomic_write
- f2fs_do_sync_file // atomic = true
- f2fs_fsync_node_pages
: last_folio = inode folio
: schedule before folio_lock(last_folio) f2fs_write_checkpoint
- block_operations// writeback last_folio
- schedule before f2fs_flush_nat_entries
: set_fsync_mark(last_folio, 1)
: set_dentry_mark(last_folio, 1)
: folio_mark_dirty(last_folio)
- __write_node_folio(last_folio)
: f2fs_down_read(&sbi->node_write)//block
- f2fs_flush_nat_entries
: {struct nat_entry}->flag |= BIT(IS_CHECKPOINTED)
- unblock_operations
: f2fs_up_write(&sbi->node_write)
f2fs_write_checkpoint//return
: f2fs_do_write_node_page()
f2fs_ioc_commit_atomic_write//return
SPO
Thread A calls f2fs_need_dentry_mark(sbi, ino), and the last_folio has
already been written once. However, the {struct nat_entry}->flag did not
have the IS_CHECKPOINTED set, causing set_dentry_mark(last_folio, 1) and
write last_folio again after Thread B finishes f2fs_write_checkpoint.
After SPO and reboot, it was detected that {struct node_info}->blk_addr
was not NULL_ADDR because Thread B successfully write the checkpoint.
This issue only occurs in atomic write scenarios. For regular file
fsync operations, the folio must be dirty. If
block_operations->f2fs_sync_node_pages successfully submit the folio
write, this path will not be executed. Otherwise, the
f2fs_write_checkpoint will need to wait for the folio write submission
to complete, as sbi->nr_pages[F2FS_DIRTY_NODES] > 0. Therefore, the
situation where f2fs_need_dentry_mark checks that the {struct
nat_entry}->flag /wo the IS_CHECKPOINTED flag, but the folio write has
already been submitted, will not occur.
Therefore, for atomic file fsync, sbi->node_write should be acquired
through __write_node_folio to ensure that the IS_CHECKPOINTED flag
correctly indicates that the checkpoint write has been completed.
Products Associated with CVE-2026-23267
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 608514deba38c8611ad330d6a3c8e2b9a1f68e4b and below 32bc3c9fe18881d50dd51fd5f26d19fe1190dc0d is affected.
- Version 608514deba38c8611ad330d6a3c8e2b9a1f68e4b and below 75e19da068adf0dc5dd269dd157392434b9117d4 is affected.
- Version 608514deba38c8611ad330d6a3c8e2b9a1f68e4b and below 962c167b0f262b9962207fbeaa531721d55ea00e is affected.
- Version 608514deba38c8611ad330d6a3c8e2b9a1f68e4b and below bd66b4c487d5091d2a65d6089e0de36f0c26a4c7 is affected.
- Version 608514deba38c8611ad330d6a3c8e2b9a1f68e4b and below ed81bc5885460905f9160e7b463e5708fd056324 is affected.
- Version 608514deba38c8611ad330d6a3c8e2b9a1f68e4b and below 7633a7387eb4d0259d6bea945e1d3469cd135bbc is affected.
- Version 4.7 is affected.
- Before 4.7 is unaffected.
- Version 6.1.164, <= 6.1.* is unaffected.
- Version 6.6.127, <= 6.6.* is unaffected.
- Version 6.12.74, <= 6.12.* is unaffected.
- Version 6.18.13, <= 6.18.* is unaffected.
- Version 6.19.3, <= 6.19.* is unaffected.
- Version 7.0-rc1, <= * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.