[PATCH] jfs: check sb_set_blocksize() return value in jfs_fill

The Linux Kernel Mailing List
 help / color / mirror / Atom feed

* [PATCH] jfs: check sb_set_blocksize() return value in jfs_fill_super()
@ 2026-05-14 16:07 Daiki Harada
  2026-05-15 13:21 ` Christian Brauner
  0 siblings, 1 reply; 2+ messages in thread
From: Daiki Harada @ 2026-05-14 16:07 UTC (permalink / raw)
  To: jfs-discussion, linux-kernel
  Cc: Dave Kleikamp, Christian Brauner, Al Viro, Kees Cook,
	Daiki Harada, syzbot+32ec8b5bd050c78741c2

jfs_fill_super() does not check the return value of sb_set_blocksize().
If the block device's logical block size exceeds PAGE_SIZE,
sb_set_blocksize() fails and returns 0, but jfs_fill_super() continues
regardless. Subsequent sb_bread() calls then trigger a BUG() in
folio_alloc_buffers() because the block size is incompatible with the
folio size.

Fix by checking the return value of sb_set_blocksize() and failing the
mount with -EINVAL if it returns 0.

Reported-by: syzbot+32ec8b5bd050c78741c2@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=32ec8b5bd050c78741c2
Signed-off-by: Daiki Harada <daiky0325@gmail.com>

diff --git a/fs/jfs/super.c b/fs/jfs/super.c
index 61575f7397ae..c69fc7677a66 100644
--- a/fs/jfs/super.c
+++ b/fs/jfs/super.c
@@ -491,8 +491,12 @@ static int jfs_fill_super(struct super_block *sb, struct fs_context *fc)
 	/*
 	 * Initialize blocksize to 4K.
 	 */
-	sb_set_blocksize(sb, PSIZE);
-
+	if (!sb_set_blocksize(sb, PSIZE)) {
+		jfs_err("block size %lu > page size %lu not supported",
+			sb->s_blocksize, PAGE_SIZE);
+		ret = -EINVAL;
+		goto out_unload;
+	}
 	/*
 	 * Set method vectors.
 	 */
---


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] jfs: check sb_set_blocksize() return value in jfs_fill_super()
  2026-05-14 16:07 [PATCH] jfs: check sb_set_blocksize() return value in jfs_fill_super() Daiki Harada
@ 2026-05-15 13:21 ` Christian Brauner
  0 siblings, 0 replies; 2+ messages in thread
From: Christian Brauner @ 2026-05-15 13:21 UTC (permalink / raw)
  To: Daiki Harada
  Cc: jfs-discussion, linux-kernel, Dave Kleikamp, Al Viro, Kees Cook,
	syzbot+32ec8b5bd050c78741c2

On Thu, May 14, 2026 at 04:07:00PM +0000, Daiki Harada wrote:
> jfs_fill_super() does not check the return value of sb_set_blocksize().
> If the block device's logical block size exceeds PAGE_SIZE,
> sb_set_blocksize() fails and returns 0, but jfs_fill_super() continues
> regardless. Subsequent sb_bread() calls then trigger a BUG() in
> folio_alloc_buffers() because the block size is incompatible with the
> folio size.
> 
> Fix by checking the return value of sb_set_blocksize() and failing the
> mount with -EINVAL if it returns 0.
> 
> Reported-by: syzbot+32ec8b5bd050c78741c2@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=32ec8b5bd050c78741c2
> Signed-off-by: Daiki Harada <daiky0325@gmail.com>

I already have a series from Christoph in my tree that fixes all
instances of this bug. Thank you for the fix though!

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-05-15 13:21 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-14 16:07 [PATCH] jfs: check sb_set_blocksize() return value in jfs_fill_super() Daiki Harada
2026-05-15 13:21 ` Christian Brauner

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox