DEBIAN-CVE-2026-23233

In the Linux kernel, the following vulnerability has been resolved:  f2fs: fix to avoid mapping wrong physical block for swapfile  Xiaolong Guo reported a f2fs bug in bugzilla [1]  [1] https://bugzilla.kernel.org/showbug.cgi?id=220951  Quoted:  "When using stress-ng's swap stress test on F2FS filesystem with kernel 6.6+, the system experiences data corruption leading to either: 1 dm-verity corruption errors and device reboot 2 F2FS node corruption errors and boot hangs  The issue occurs specifically when: 1 Using F2FS filesystem (ext4 is unaffected) 2 Swapfile size is less than F2FS section size (2MB) 3 Swapfile has fragmented physical layout (multiple non-contiguous extents) 4 Kernel version is 6.6+ (6.1 is unaffected)  The root cause is in checkswapactivate() function in fs/f2fs/data.c. When the first extent of a small swapfile (< 2MB) is not aligned to section boundaries, the function incorrectly treats it as the last extent, failing to map subsequent extents. This results in incorrect swapextent creation where only the first extent is mapped, causing subsequent swap writes to overwrite wrong physical locations (other files' data).  Steps to Reproduce 1 Setup a device with F2FS-formatted userdata partition 2 Compile stress-ng from https://github.com/ColinIanKing/stress-ng 3 Run swap stress test: (Android devices) adb shell "cd /data/stressng; ./stress-ng-64 --metrics-brief --timeout 60 --swap 0"  Log: 1 Ftrace shows in kernel 6.6, only first extent is mapped during second f2fsmapblocks call in checkswapactivate(): stress-ng-swap-8990: f2fsmapblocks: ino=11002, file offset=0, start blkaddr=0x43143, len=0x1 (Only 4KB mapped, not the full swapfile) 2 in kernel 6.1, both extents are correctly mapped: stress-ng-swap-5966: f2fsmapblocks: ino=28011, file offset=0, start blkaddr=0x13cd4, len=0x1 stress-ng-swap-5966: f2fsmapblocks: ino=28011, file offset=1, start blkaddr=0x60c84b, len=0xff  The problematic code is in checkswapactivate(): if ((pblock - SMI(sbi)->mainblkaddr) % blkspersec ||     nrpblocks % blkspersec ||     !f2fsvalidpinnedarea(sbi, pblock)) {     bool lastextent = false;      notaligned++;      nrpblocks = roundup(nrpblocks, blkspersec);     if (curlblock + nrpblocks > sis->max)         nrpblocks -= blkspersec;      / this extent is last one /     if (!nrpblocks) {         nrpblocks = lastlblock - curlblock;         lastextent = true;     }      ret = f2fsmigrateblocks(inode, curlblock, nrpblocks);     if (ret) {         if (ret == -ENOENT)             ret = -EINVAL;         goto out;     }      if (!lastextent)         goto retry; }  When the first extent is unaligned and roundup(nrpblocks, blkspersec) exceeds sis->max, we subtract blkspersec resulting in nrpblocks = 0. The code then incorrectly assumes this is the last extent, sets nrpblocks = lastlblock - curlblock (entire swapfile), and performs migration. After migration, it doesn't retry mapping, so subsequent extents are never processed. "  In order to fix this issue, we need to lookup block mapping info after we migrate all blocks in the tail of swapfile.