{"id":"CVE-2026-23267","summary":"f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes\n\nDuring SPO tests, when mounting F2FS, an -EINVAL error was returned from\nf2fs_recover_inode_page. The issue occurred under the following scenario\n\nThread A                                     Thread B\nf2fs_ioc_commit_atomic_write\n - f2fs_do_sync_file // atomic = true\n  - f2fs_fsync_node_pages\n    : last_folio = inode folio\n    : schedule before folio_lock(last_folio) f2fs_write_checkpoint\n                                              - block_operations// writeback last_folio\n                                              - schedule before f2fs_flush_nat_entries\n    : set_fsync_mark(last_folio, 1)\n    : set_dentry_mark(last_folio, 1)\n    : folio_mark_dirty(last_folio)\n    - __write_node_folio(last_folio)\n      : f2fs_down_read(&sbi-\u003enode_write)//block\n                                              - f2fs_flush_nat_entries\n                                                : {struct nat_entry}-\u003eflag |= BIT(IS_CHECKPOINTED)\n                                              - unblock_operations\n                                                : f2fs_up_write(&sbi-\u003enode_write)\n                                             f2fs_write_checkpoint//return\n      : f2fs_do_write_node_page()\nf2fs_ioc_commit_atomic_write//return\n                                             SPO\n\nThread A calls f2fs_need_dentry_mark(sbi, ino), and the last_folio has\nalready been written once. However, the {struct nat_entry}-\u003eflag did not\nhave the IS_CHECKPOINTED set, causing set_dentry_mark(last_folio, 1) and\nwrite last_folio again after Thread B finishes f2fs_write_checkpoint.\n\nAfter SPO and reboot, it was detected that {struct node_info}-\u003eblk_addr\nwas not NULL_ADDR because Thread B successfully write the checkpoint.\n\nThis issue only occurs in atomic write scenarios. For regular file\nfsync operations, the folio must be dirty. If\nblock_operations-\u003ef2fs_sync_node_pages successfully submit the folio\nwrite, this path will not be executed. Otherwise, the\nf2fs_write_checkpoint will need to wait for the folio write submission\nto complete, as sbi-\u003enr_pages[F2FS_DIRTY_NODES] \u003e 0. Therefore, the\nsituation where f2fs_need_dentry_mark checks that the {struct\nnat_entry}-\u003eflag /wo the IS_CHECKPOINTED flag, but the folio write has\nalready been submitted, will not occur.\n\nTherefore, for atomic file fsync, sbi-\u003enode_write should be acquired\nthrough __write_node_folio to ensure that the IS_CHECKPOINTED flag\ncorrectly indicates that the checkpoint write has been completed.","modified":"2026-04-14T03:48:10.291504Z","published":"2026-03-18T17:46:09.116Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23267.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/32bc3c9fe18881d50dd51fd5f26d19fe1190dc0d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/75e19da068adf0dc5dd269dd157392434b9117d4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7633a7387eb4d0259d6bea945e1d3469cd135bbc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/962c167b0f262b9962207fbeaa531721d55ea00e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bd66b4c487d5091d2a65d6089e0de36f0c26a4c7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ed81bc5885460905f9160e7b463e5708fd056324"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23267.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23267"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"608514deba38c8611ad330d6a3c8e2b9a1f68e4b"},{"fixed":"32bc3c9fe18881d50dd51fd5f26d19fe1190dc0d"},{"fixed":"75e19da068adf0dc5dd269dd157392434b9117d4"},{"fixed":"962c167b0f262b9962207fbeaa531721d55ea00e"},{"fixed":"bd66b4c487d5091d2a65d6089e0de36f0c26a4c7"},{"fixed":"ed81bc5885460905f9160e7b463e5708fd056324"},{"fixed":"7633a7387eb4d0259d6bea945e1d3469cd135bbc"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23267.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.7.0"},{"fixed":"6.1.164"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.127"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.74"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.13"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23267.json"}}],"schema_version":"1.7.5"}