Re: [PATCH] jbd2: fix integer underflow in jbd2_journal_initialize_fast_commit()
From: Zhang Yi
Date: Tue May 12 2026 - 08:11:34 EST
On 5/12/2026 3:49 PM, Junrui Luo wrote:
> jbd2_journal_initialize_fast_commit() validates journal capacity by
> checking (journal->j_last - num_fc_blks < JBD2_MIN_JOURNAL_BLOCKS).
> Both j_last and num_fc_blks are unsigned, so when num_fc_blks exceeds
> j_last the subtraction wraps to a large value, bypassing the bounds
> check.
I'm wondering, how does the "num_fc_blks exceeds j_last" error occur?
Under normal circumstances, journal->j_last is initialized to
sb->s_maxlen, which is set to the total number of journal blocks (i.e.,
the sum of the normal journal area and the fast commit journal area)
during filesystem formatting by mkfs. Therefore, num_fc_blocks shoud
never exceed journal->j_last. Right?
Have you mounted a deliberately constructed corrupted file system? If
so, I'd prefer to return EFSCORRUPTED here.
Thanks,
Yi.
>
> The resulting underflow corrupts j_last, j_fc_first, and j_free,
> leading to journal abort.
>
> Fix by adding an overflow guard that checks num_fc_blks against j_last
> before performing the subtraction.
>
> Fixes: 6866d7b3f2bb ("ext4 / jbd2: add fast commit initialization")
> Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
> ---
> fs/jbd2/journal.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
> index cb2c529a8f1b..a54146576c3f 100644
> --- a/fs/jbd2/journal.c
> +++ b/fs/jbd2/journal.c
> @@ -2263,7 +2263,8 @@ jbd2_journal_initialize_fast_commit(journal_t *journal)
> unsigned long long num_fc_blks;
>
> num_fc_blks = jbd2_journal_get_num_fc_blks(sb);
> - if (journal->j_last - num_fc_blks < JBD2_MIN_JOURNAL_BLOCKS)
> + if (num_fc_blks > journal->j_last ||
> + journal->j_last - num_fc_blks < JBD2_MIN_JOURNAL_BLOCKS)
> return -ENOSPC;
>
> /* Are we called twice? */
>
> ---
> base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
> change-id: 20260512-fixes-2ff4f9f7d064
>
> Best regards,