CVE-2026-23234

Name	CVE-2026-23234
Description	In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid UAF in f2fs_write_end_io() As syzbot reported an use-after-free issue in f2fs_write_end_io(). It is caused by below race condition: loop device umount - worker_thread - loop_process_work - do_req_filebacked - lo_rw_aio - lo_rw_aio_complete - blk_mq_end_request - blk_update_request - f2fs_write_end_io - dec_page_count - folio_end_writeback - kill_f2fs_super - kill_block_super - f2fs_put_super : free(sbi) : get_pages(, F2FS_WB_CP_DATA) accessed sbi which is freed In kill_f2fs_super(), we will drop all page caches of f2fs inodes before call free(sbi), it guarantee that all folios should end its writeback, so it should be safe to access sbi before last folio_end_writeback(). Let's relocate ckpt thread wakeup flow before folio_end_writeback() to resolve this issue.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-4498-1, DLA-4499-1, DSA-6162-1, DSA-6163-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
linux (PTS)	bullseye	5.10.223-1	vulnerable
	bullseye (security)	5.10.251-1	fixed
	bookworm	6.1.159-1	vulnerable
	bookworm (security)	6.1.164-1	fixed
	trixie	6.12.73-1	vulnerable
	trixie (security)	6.12.74-2	fixed
	forky, sid	6.19.8-1	fixed
linux-6.1 (PTS)	bullseye (security)	6.1.164-1~deb11u1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
linux	source	bullseye	5.10.251-1	DLA-4498-1
linux	source	bookworm	6.1.164-1	DSA-6163-1
linux	source	trixie	6.12.74-2	DSA-6162-1
linux	source	(unstable)	6.18.13-1
linux-6.1	source	bullseye	6.1.164-1~deb11u1	DLA-4499-1

https://git.kernel.org/linus/ce2739e482bce8d2c014d76c4531c877f382aa54 (7.0-rc1)