Home

Description

In the Linux kernel, the following vulnerability has been resolved: romfs: check sb_set_blocksize() return value romfs_fill_super() ignores the return value of sb_set_blocksize(), which can fail if the requested block size is incompatible with the block device's configuration. This can be triggered by setting a loop device's block size larger than PAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs filesystem on that device. When sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the device has logical_block_size=32768, bdev_validate_blocksize() fails because the requested size is smaller than the device's logical block size. sb_set_blocksize() returns 0 (failure), but romfs ignores this and continues mounting. The superblock's block size remains at the device's logical block size (32768). Later, when sb_bread() attempts I/O with this oversized block size, it triggers a kernel BUG in folio_set_bh(): kernel BUG at fs/buffer.c:1582! BUG_ON(size > PAGE_SIZE); Fix by checking the return value of sb_set_blocksize() and failing the mount with -EINVAL if it returns 0.

PUBLISHED Reserved 2026-01-13 | Published 2026-03-04 | Updated 2026-03-04 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before a381f0f61b35c8894b0bd0d6acef2d8f9b08b244
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before f2521ab1f63a8c244f06a080319e5ff9a2e1bd95
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 2c5829cd8fbbc91568c520b666898f57cdcb8cf6
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before cbd9931e6456822067725354d83446c5bb813030
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 9b203b8ddd7359270e8a694d0584743555128e2c
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 4b71ad7676564a94ec5f7d18298f51e8ae53db73
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before ab7ad7abb3660c58ffffdf07ff3bb976e7e0afa0
affected

Default status
affected

5.10.251 (semver)
unaffected

5.15.201 (semver)
unaffected

6.1.164 (semver)
unaffected

6.6.127 (semver)
unaffected

6.12.74 (semver)
unaffected

6.18.13 (semver)
unaffected

6.19 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/a381f0f61b35c8894b0bd0d6acef2d8f9b08b244

git.kernel.org/...c/f2521ab1f63a8c244f06a080319e5ff9a2e1bd95

git.kernel.org/...c/2c5829cd8fbbc91568c520b666898f57cdcb8cf6

git.kernel.org/...c/cbd9931e6456822067725354d83446c5bb813030

git.kernel.org/...c/9b203b8ddd7359270e8a694d0584743555128e2c

git.kernel.org/...c/4b71ad7676564a94ec5f7d18298f51e8ae53db73

git.kernel.org/...c/ab7ad7abb3660c58ffffdf07ff3bb976e7e0afa0

cve.org (CVE-2026-23238)

nvd.nist.gov (CVE-2026-23238)

Download JSON