Re: [PATCH] jbd2: fix integer underflow in jbd2_journal_initialize_fast_commit()

Next message: Breno Leitao: "Re: [PATCH v6 1/4] mm/memory-failure: report MF_MSG_KERNEL for reserved pages"
Previous message: Qais Yousef: "[PATCH] sched/fair: Call update_util_est() after dequeue_entities()"
In reply to: Zhang Yi: "Re: [PATCH] jbd2: fix integer underflow in jbd2_journal_initialize_fast_commit()"
Next in thread: Junrui Luo: "[PATCH v2] jbd2: fix integer underflow in jbd2_journal_initialize_fast_commit()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Junrui Luo

Date: Tue May 12 2026 - 09:11:59 EST

On Tue, May 12, 2026 at 08:08:56PM +0800, Zhang Yi wrote:
> On 5/12/2026 3:49 PM, Junrui Luo wrote:
> > jbd2_journal_initialize_fast_commit() validates journal capacity by
> > checking (journal->j_last - num_fc_blks < JBD2_MIN_JOURNAL_BLOCKS).
> > Both j_last and num_fc_blks are unsigned, so when num_fc_blks exceeds
> > j_last the subtraction wraps to a large value, bypassing the bounds
> > check.
>
> I'm wondering, how does the "num_fc_blks exceeds j_last" error occur?
> Under normal circumstances, journal->j_last is initialized to
> sb->s_maxlen, which is set to the total number of journal blocks (i.e.,
> the sum of the normal journal area and the fast commit journal area)
> during filesystem formatting by mkfs. Therefore, num_fc_blocks shoud
> never exceed journal->j_last. Right?

Yes, this is triggered by mounting a crafted filesystem where the ext4
superblock has fast_commit enabled but the journal superblock does not,
while s_num_fc_blks is set larger than s_maxlen.

> Have you mounted a deliberately constructed corrupted file system? If
> so, I'd prefer to return EFSCORRUPTED here.

I will change it in v2.

Thanks,
Junrui Luo