CVE-2026-23234

Description

In the Linux kernel, the following vulnerability has been resolved:f2fs: fix to avoid UAF in f2fs_write_end_io()As syzbot reported an use-after-free issue in f2fs_write_end_io().It is caused by below race condition:loop deviceumount- worker_thread - loop_process_work - do_req_filebacked - lo_rw_aio - lo_rw_aio_complete - blk_mq_end_request - blk_update_request - f2fs_write_end_io - dec_page_count - folio_end_writeback- kill_f2fs_super - kill_block_super - f2fs_put_super : free(sbi) : get_pages(, F2FS_WB_CP_DATA) accessed sbi which is freedIn kill_f2fs_super(), we will drop all page caches of f2fs inodes beforecall free(sbi), it guarantee that all folios should end its writeback, soit should be safe to access sbi before last folio_end_writeback().Lets relocate ckpt thread wakeup flow before folio_end_writeback() toresolve this issue.

Risk Information

Base Score

7.8

MODERATE

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

Exploitation Probability

0.013

Associated Vulnerability

No records found

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234