Re: [syzbot] [gfs2?] INFO: task hung in gfs2_recover_journal (4)

Next message: David Laight: "Re: [PATCH v4 0/2] lib/vsprintf: Fixes size check"
Previous message: Claudiu Beznea: "Re: [PATCH 4/5] PCI: rzg3s-host: Prepare System Controller handling for multiple PCIe channels"
In reply to: syzbot: "Re: [syzbot] [gfs2?] INFO: task hung in gfs2_recover_journal (4)"
Next in thread: syzbot: "Re: [syzbot] [gfs2?] INFO: task hung in gfs2_recover_journal (4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Edward Adam Davis

Date: Wed Mar 25 2026 - 06:29:54 EST

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git 09c0f7f1bcdb

diff --git a/fs/gfs2/bmap.c b/fs/gfs2/bmap.c
index 1cd8ec0bce83..fd11d5aa93b6 100644
--- a/fs/gfs2/bmap.c
+++ b/fs/gfs2/bmap.c
@@ -2266,6 +2266,9 @@ int gfs2_map_journal_extents(struct gfs2_sbd *sdp, struct gfs2_jdesc *jd)
u64 size;
int rc;
ktime_t start, end;
+ struct super_block *sb = sdp->sd_vfs;
+ sector_t maxsector = bdev_nr_sectors(sb->s_bdev);
+ u32 bshift = sdp->sd_fsb2bb_shift;

start = ktime_get();
lblock_stop = i_size_read(jd->jd_inode) >> shift;
@@ -2280,6 +2283,10 @@ int gfs2_map_journal_extents(struct gfs2_sbd *sdp, struct gfs2_jdesc *jd)
rc = gfs2_block_map(jd->jd_inode, lblock, &bh, 0);
if (rc || !buffer_mapped(&bh))
goto fail;
+ if (bh.b_blocknr << bshift > maxsector) {
+ rc = -EIO;
+ goto fail;
+ }
rc = gfs2_add_jextent(jd, lblock, bh.b_blocknr, bh.b_size >> shift);
if (rc)
goto fail;