{"id":"CVE-2026-46194","summary":"f2fs: fix node_cnt race between extent node destroy and writeback","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix node_cnt race between extent node destroy and writeback\n\nf2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing\nextent nodes. When called from f2fs_drop_inode() with I_SYNC set,\nconcurrent kworker writeback can insert new extent nodes into the same\nextent tree, racing with the destroy and triggering f2fs_bug_on() in\n__destroy_extent_node(). The scenario is as follows:\n\ndrop inode                            writeback\n - iput\n  - f2fs_drop_inode  // I_SYNC set\n   - f2fs_destroy_extent_node\n    - __destroy_extent_node\n     - while (node_cnt) {\n        write_lock(&et-\u003elock)\n        __free_extent_tree\n        write_unlock(&et-\u003elock)\n                                       - __writeback_single_inode\n                                        - f2fs_outplace_write_data\n                                         - f2fs_update_read_extent_cache\n                                          - __update_extent_tree_range\n                                           // FI_NO_EXTENT not set,\n                                           // insert new extent node\n       } // node_cnt == 0, exit while\n     - f2fs_bug_on(node_cnt)  // node_cnt \u003e 0\n\nAdditionally, __update_extent_tree_range() only checks FI_NO_EXTENT for\nEX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.\n\nThis patch set FI_NO_EXTENT under et-\u003elock in __destroy_extent_node(),\nconsistent with other callers (__update_extent_tree_range and\n__drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and\nEX_BLOCK_AGE tree.","modified":"2026-07-08T08:05:17.693346408Z","published":"2026-05-28T09:36:47.461Z","related":["openSUSE-SU-2026:10954-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46194.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0559a0e962aacbb47519e26ee663be04b72dcb92"},{"type":"WEB","url":"https://git.kernel.org/stable/c/42dd1c91f993431d0b399502479d00e6ad1bca71"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ab1eaf9d5c99042f5b0243bf67a06283a4c0757f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b0e4395870eb3441ddc959f6710b5f6ca61aff26"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ed78aeebef05212ef7dca93bd931e4eff67c113f"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46194.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46194"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"295b50e95e900da31ff237e46e04525fa799b2cf"},{"fixed":"42dd1c91f993431d0b399502479d00e6ad1bca71"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"924f7dd1e832e4e4530d14711db223d2803f7b61"},{"fixed":"ab1eaf9d5c99042f5b0243bf67a06283a4c0757f"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"3fc5d5a182f6a1f8bd4dc775feb54c369dd2c343"},{"fixed":"b0e4395870eb3441ddc959f6710b5f6ca61aff26"},{"fixed":"0559a0e962aacbb47519e26ee663be04b72dcb92"},{"fixed":"ed78aeebef05212ef7dca93bd931e4eff67c113f"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"6.6.66"},{"fixed":"6.6.140"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"6.12.5"},{"fixed":"6.12.88"}]}],"versions":["v6.6.139","v6.6.138","v6.6.137","v6.6.136","v6.6.135","v6.6.134","v6.6.133","v6.6.132","v6.6.131","v6.6.130","v6.6.129","v6.6.128","v6.6.127","v6.6.126","v6.6.125","v6.6.124","v6.6.123","v6.6.122","v6.6.121","v6.6.120","v6.6.119","v6.6.118","v6.6.117","v6.6.116","v6.6.115","v6.6.114","v6.6.113","v6.6.112","v6.6.111","v6.6.110","v6.6.109","v6.6.108","v6.6.107","v6.6.106","v6.6.105","v6.6.104","v6.6.103","v6.6.102","v6.6.101","v6.6.100","v6.6.99","v6.6.98","v6.6.97","v6.6.96","v6.6.95","v6.6.94","v6.6.93","v6.6.92","v6.6.91","v6.6.90","v6.6.89","v6.6.88","v6.6.87","v6.6.86","v6.6.85","v6.6.84","v6.6.83","v6.6.82","v6.6.81","v6.6.80","v6.6.79","v6.6.78","v6.6.77","v6.6.76","v6.6.75","v6.6.74","v6.6.73","v6.6.72","v6.6.71","v6.6.70","v6.6.69","v6.6.68","v6.6.67","v6.6.66","v6.12.87","v6.12.86","v6.12.85","v6.12.84","v6.12.83","v6.12.82","v6.12.81","v6.12.80","v6.12.79","v6.12.78","v6.12.77","v6.12.76","v6.12.75","v6.12.74","v6.12.73","v6.12.72","v6.12.71","v6.12.70","v6.12.69","v6.12.68","v6.12.67","v6.12.66","v6.12.65","v6.12.64","v6.12.63","v6.12.62","v6.12.61","v6.12.60","v6.12.59","v6.12.58","v6.12.57","v6.12.56","v6.12.55","v6.12.54","v6.12.53","v6.12.52","v6.12.51","v6.12.50","v6.12.49","v6.12.48","v6.12.47","v6.12.46","v6.12.45","v6.12.44","v6.12.43","v6.12.42","v6.12.41","v6.12.40","v6.12.39","v6.12.38","v6.12.37","v6.12.36","v6.12.35","v6.12.34","v6.12.33","v6.12.32","v6.12.31","v6.12.30","v6.12.29","v6.12.28","v6.12.27","v6.12.26","v6.12.25","v6.12.24","v6.12.23","v6.12.22","v6.12.21","v6.12.20","v6.12.19","v6.12.18","v6.12.17","v6.12.16","v6.12.15","v6.12.14","v6.12.13","v6.12.12","v6.12.11","v6.12.10","v6.12.9","v6.12.8","v6.12.7","v6.12.6","v6.12.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46194.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.140"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.88"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.30"},{"fixed":"7.0.7"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46194.json"}}],"schema_version":"1.7.5"}