[PATCH 1/4] erofs: fix incorrect early exits for invalid metabox-enabled images

From: Gao Xiang
Date: Mon Dec 29 2025 - 04:30:07 EST

Next message: Gao Xiang: "[PATCH 2/4] erofs: fix incorrect early exits in volume label handling"
Previous message: syzbot: "[syzbot] [cgroups?] [mm?] KMSAN: uninit-value in __sigqueue_free"
Next in thread: Gao Xiang: "[PATCH 2/4] erofs: fix incorrect early exits in volume label handling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Crafted EROFS images with metadata compression enabled can trigger
incorrect early returns, leading to folio reference leaks.

However, this does not cause system crashes or other severe issues.

Fixes: 414091322c63 ("erofs: implement metadata compression")
Signed-off-by: Gao Xiang <hsiangkao@xxxxxxxxxxxxxxxxx>
---
fs/erofs/super.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/erofs/super.c b/fs/erofs/super.c
index 937a215f626c..2e4d0ea2ffa1 100644
--- a/fs/erofs/super.c
+++ b/fs/erofs/super.c
@@ -330,12 +330,13 @@ static int erofs_read_superblock(struct super_block *sb)
}
sbi->packed_nid = le64_to_cpu(dsb->packed_nid);
if (erofs_sb_has_metabox(sbi)) {
+ ret = -EFSCORRUPTED;
if (sbi->sb_size <= offsetof(struct erofs_super_block,
metabox_nid))
- return -EFSCORRUPTED;
+ goto out;
sbi->metabox_nid = le64_to_cpu(dsb->metabox_nid);
if (sbi->metabox_nid & BIT_ULL(EROFS_DIRENT_NID_METABOX_BIT))
- return -EFSCORRUPTED; /* self-loop detection */
+ goto out; /* self-loop detection */
}
sbi->inos = le64_to_cpu(dsb->inos);

--
2.43.5

Next message: Gao Xiang: "[PATCH 2/4] erofs: fix incorrect early exits in volume label handling"
Previous message: syzbot: "[syzbot] [cgroups?] [mm?] KMSAN: uninit-value in __sigqueue_free"
Next in thread: Gao Xiang: "[PATCH 2/4] erofs: fix incorrect early exits in volume label handling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]