* Re: [PATCH v2] jbd2: fix integer underflow in jbd2_journal_initialize_fast_commit()
2026-05-13 9:28 ` [PATCH v2] " Junrui Luo
@ 2026-05-13 9:47 ` Jan Kara
2026-05-13 11:08 ` Zhang Yi
` (3 subsequent siblings)
4 siblings, 0 replies; 9+ messages in thread
From: Jan Kara @ 2026-05-13 9:47 UTC (permalink / raw)
To: Junrui Luo
Cc: Theodore Ts'o, Jan Kara, Harshad Shirwadkar, linux-ext4,
linux-kernel, Yuhao Jiang, stable
On Wed 13-05-26 17:28:40, Junrui Luo wrote:
> jbd2_journal_initialize_fast_commit() validates journal capacity by
> checking (journal->j_last - num_fc_blks < JBD2_MIN_JOURNAL_BLOCKS).
> Both j_last and num_fc_blks are unsigned, so when num_fc_blks exceeds
> j_last the subtraction wraps to a large value, bypassing the bounds
> check.
>
> The resulting underflow corrupts j_last, j_fc_first, and j_free,
> leading to journal abort.
>
> Fix by checking num_fc_blks against j_last before the subtraction,
> returning -EFSCORRUPTED.
>
> Fixes: 6866d7b3f2bb ("ext4 / jbd2: add fast commit initialization")
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Looks good. Feel free to add:
Reviewed-by: Jan Kara <jack@suse.cz>
Honza
> ---
> Changes in v2:
> - Return -EFSCORRUPTED instead of -ENOSPC
> - Link to v1: https://lore.kernel.org/all/SYBPR01MB78813DD23B28BD49B1AA1123AF392@SYBPR01MB7881.ausprd01.prod.outlook.com/
> ---
> fs/jbd2/journal.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
> index cb2c529a8f1b..0bb97459fbf0 100644
> --- a/fs/jbd2/journal.c
> +++ b/fs/jbd2/journal.c
> @@ -2263,6 +2263,8 @@ jbd2_journal_initialize_fast_commit(journal_t *journal)
> unsigned long long num_fc_blks;
>
> num_fc_blks = jbd2_journal_get_num_fc_blks(sb);
> + if (num_fc_blks > journal->j_last)
> + return -EFSCORRUPTED;
> if (journal->j_last - num_fc_blks < JBD2_MIN_JOURNAL_BLOCKS)
> return -ENOSPC;
>
>
> ---
> base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
> change-id: 20260513-fixes-e6dcda3273d4
>
> Best regards,
> --
> Junrui Luo <moonafterrain@outlook.com>
>
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH v2] jbd2: fix integer underflow in jbd2_journal_initialize_fast_commit()
2026-05-13 9:28 ` [PATCH v2] " Junrui Luo
2026-05-13 9:47 ` Jan Kara
@ 2026-05-13 11:08 ` Zhang Yi
2026-06-01 10:06 ` Baokun Li
` (2 subsequent siblings)
4 siblings, 0 replies; 9+ messages in thread
From: Zhang Yi @ 2026-05-13 11:08 UTC (permalink / raw)
To: Junrui Luo, Theodore Ts'o, Jan Kara, Harshad Shirwadkar
Cc: linux-ext4, linux-kernel, Yuhao Jiang, stable
On 5/13/2026 5:28 PM, Junrui Luo wrote:
> jbd2_journal_initialize_fast_commit() validates journal capacity by
> checking (journal->j_last - num_fc_blks < JBD2_MIN_JOURNAL_BLOCKS).
> Both j_last and num_fc_blks are unsigned, so when num_fc_blks exceeds
> j_last the subtraction wraps to a large value, bypassing the bounds
> check.
>
> The resulting underflow corrupts j_last, j_fc_first, and j_free,
> leading to journal abort.
>
> Fix by checking num_fc_blks against j_last before the subtraction,
> returning -EFSCORRUPTED.
>
> Fixes: 6866d7b3f2bb ("ext4 / jbd2: add fast commit initialization")
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Looks good to me.
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
> ---
> Changes in v2:
> - Return -EFSCORRUPTED instead of -ENOSPC
> - Link to v1: https://lore.kernel.org/all/SYBPR01MB78813DD23B28BD49B1AA1123AF392@SYBPR01MB7881.ausprd01.prod.outlook.com/
> ---
> fs/jbd2/journal.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
> index cb2c529a8f1b..0bb97459fbf0 100644
> --- a/fs/jbd2/journal.c
> +++ b/fs/jbd2/journal.c
> @@ -2263,6 +2263,8 @@ jbd2_journal_initialize_fast_commit(journal_t *journal)
> unsigned long long num_fc_blks;
>
> num_fc_blks = jbd2_journal_get_num_fc_blks(sb);
> + if (num_fc_blks > journal->j_last)
> + return -EFSCORRUPTED;
> if (journal->j_last - num_fc_blks < JBD2_MIN_JOURNAL_BLOCKS)
> return -ENOSPC;
>
>
> ---
> base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
> change-id: 20260513-fixes-e6dcda3273d4
>
> Best regards,
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH v2] jbd2: fix integer underflow in jbd2_journal_initialize_fast_commit()
2026-05-13 9:28 ` [PATCH v2] " Junrui Luo
2026-05-13 9:47 ` Jan Kara
2026-05-13 11:08 ` Zhang Yi
@ 2026-06-01 10:06 ` Baokun Li
2026-06-01 11:37 ` Baokun Li
2026-06-04 14:45 ` Theodore Ts'o
4 siblings, 0 replies; 9+ messages in thread
From: Baokun Li @ 2026-06-01 10:06 UTC (permalink / raw)
To: Junrui Luo
Cc: Theodore Ts'o, Jan Kara, Harshad Shirwadkar, linux-ext4,
linux-kernel, Yuhao Jiang, stable
On 2026/5/13 17:28, Junrui Luo wrote:
> jbd2_journal_initialize_fast_commit() validates journal capacity by
> checking (journal->j_last - num_fc_blks < JBD2_MIN_JOURNAL_BLOCKS).
> Both j_last and num_fc_blks are unsigned, so when num_fc_blks exceeds
> j_last the subtraction wraps to a large value, bypassing the bounds
> check.
>
> The resulting underflow corrupts j_last, j_fc_first, and j_free,
> leading to journal abort.
>
> Fix by checking num_fc_blks against j_last before the subtraction,
> returning -EFSCORRUPTED.
>
> Fixes: 6866d7b3f2bb ("ext4 / jbd2: add fast commit initialization")
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
The Fixes tag is not quite accurate, it should be:
Fixes: e029c5f279872 ("ext4: make num of fast commit blocks configurable")
Otherwise looks good to me:
Reviewed-by: Baokun Li libaokun@linux.alibaba.com
> ---
> Changes in v2:
> - Return -EFSCORRUPTED instead of -ENOSPC
> - Link to v1: https://lore.kernel.org/all/SYBPR01MB78813DD23B28BD49B1AA1123AF392@SYBPR01MB7881.ausprd01.prod.outlook.com/
> ---
> fs/jbd2/journal.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
> index cb2c529a8f1b..0bb97459fbf0 100644
> --- a/fs/jbd2/journal.c
> +++ b/fs/jbd2/journal.c
> @@ -2263,6 +2263,8 @@ jbd2_journal_initialize_fast_commit(journal_t *journal)
> unsigned long long num_fc_blks;
>
> num_fc_blks = jbd2_journal_get_num_fc_blks(sb);
> + if (num_fc_blks > journal->j_last)
> + return -EFSCORRUPTED;
> if (journal->j_last - num_fc_blks < JBD2_MIN_JOURNAL_BLOCKS)
> return -ENOSPC;
>
>
> ---
> base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
> change-id: 20260513-fixes-e6dcda3273d4
>
> Best regards,
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH v2] jbd2: fix integer underflow in jbd2_journal_initialize_fast_commit()
2026-05-13 9:28 ` [PATCH v2] " Junrui Luo
` (2 preceding siblings ...)
2026-06-01 10:06 ` Baokun Li
@ 2026-06-01 11:37 ` Baokun Li
2026-06-04 14:45 ` Theodore Ts'o
4 siblings, 0 replies; 9+ messages in thread
From: Baokun Li @ 2026-06-01 11:37 UTC (permalink / raw)
To: Junrui Luo
Cc: Theodore Ts'o, Jan Kara, Harshad Shirwadkar, linux-ext4,
linux-kernel, Yuhao Jiang, stable
On 2026/5/13 17:28, Junrui Luo wrote:
> jbd2_journal_initialize_fast_commit() validates journal capacity by
> checking (journal->j_last - num_fc_blks < JBD2_MIN_JOURNAL_BLOCKS).
> Both j_last and num_fc_blks are unsigned, so when num_fc_blks exceeds
> j_last the subtraction wraps to a large value, bypassing the bounds
> check.
>
> The resulting underflow corrupts j_last, j_fc_first, and j_free,
> leading to journal abort.
>
> Fix by checking num_fc_blks against j_last before the subtraction,
> returning -EFSCORRUPTED.
>
> Fixes: 6866d7b3f2bb ("ext4 / jbd2: add fast commit initialization")
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
The Fixes tag is not quite accurate, it should be:
Fixes: e029c5f27987 ("ext4: make num of fast commit blocks configurable")
Otherwise looks good to me:
Reviewed-by: Baokun Li <libaokun@linux.alibaba.com>
(P.S. Resend due to malformed email. Sorry for the noise.)
> ---
> Changes in v2:
> - Return -EFSCORRUPTED instead of -ENOSPC
> - Link to v1: https://lore.kernel.org/all/SYBPR01MB78813DD23B28BD49B1AA1123AF392@SYBPR01MB7881.ausprd01.prod.outlook.com/
> ---
> fs/jbd2/journal.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
> index cb2c529a8f1b..0bb97459fbf0 100644
> --- a/fs/jbd2/journal.c
> +++ b/fs/jbd2/journal.c
> @@ -2263,6 +2263,8 @@ jbd2_journal_initialize_fast_commit(journal_t *journal)
> unsigned long long num_fc_blks;
>
> num_fc_blks = jbd2_journal_get_num_fc_blks(sb);
> + if (num_fc_blks > journal->j_last)
> + return -EFSCORRUPTED;
> if (journal->j_last - num_fc_blks < JBD2_MIN_JOURNAL_BLOCKS)
> return -ENOSPC;
>
>
> ---
> base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
> change-id: 20260513-fixes-e6dcda3273d4
>
> Best regards,
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [PATCH v2] jbd2: fix integer underflow in jbd2_journal_initialize_fast_commit()
2026-05-13 9:28 ` [PATCH v2] " Junrui Luo
` (3 preceding siblings ...)
2026-06-01 11:37 ` Baokun Li
@ 2026-06-04 14:45 ` Theodore Ts'o
4 siblings, 0 replies; 9+ messages in thread
From: Theodore Ts'o @ 2026-06-04 14:45 UTC (permalink / raw)
To: Jan Kara, Harshad Shirwadkar, Junrui Luo
Cc: Theodore Ts'o, linux-ext4, linux-kernel, Yuhao Jiang, stable
On Wed, 13 May 2026 17:28:40 +0800, Junrui Luo wrote:
> jbd2_journal_initialize_fast_commit() validates journal capacity by
> checking (journal->j_last - num_fc_blks < JBD2_MIN_JOURNAL_BLOCKS).
> Both j_last and num_fc_blks are unsigned, so when num_fc_blks exceeds
> j_last the subtraction wraps to a large value, bypassing the bounds
> check.
>
> The resulting underflow corrupts j_last, j_fc_first, and j_free,
> leading to journal abort.
>
> [...]
Applied, thanks!
[1/1] jbd2: fix integer underflow in jbd2_journal_initialize_fast_commit()
commit: 289a2ca0c9b7eae74f93fc213b0b971669b8683d
Best regards,
--
Theodore Ts'o <tytso@mit.edu>
^ permalink raw reply [flat|nested] 9+ messages in thread