[PATCH] jbd2: fix integer underflow in jbd2_journal_initialize_fast_commit()

Next message: Breno Leitao: "Re: [PATCH net-next 8/8] netconsole: move find_skb() from netpoll"
Previous message: David Hildenbrand (Arm): "Re: &quot;alloc_tag was not set&quot; when running mm/ksft_hmm.sh"
Next in thread: Zhang Yi: "Re: [PATCH] jbd2: fix integer underflow in jbd2_journal_initialize_fast_commit()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Junrui Luo

Date: Tue May 12 2026 - 03:55:50 EST

jbd2_journal_initialize_fast_commit() validates journal capacity by
checking (journal->j_last - num_fc_blks < JBD2_MIN_JOURNAL_BLOCKS).
Both j_last and num_fc_blks are unsigned, so when num_fc_blks exceeds
j_last the subtraction wraps to a large value, bypassing the bounds
check.

The resulting underflow corrupts j_last, j_fc_first, and j_free,
leading to journal abort.

Fix by adding an overflow guard that checks num_fc_blks against j_last
before performing the subtraction.

Fixes: 6866d7b3f2bb ("ext4 / jbd2: add fast commit initialization")
Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
---
fs/jbd2/journal.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
index cb2c529a8f1b..a54146576c3f 100644
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -2263,7 +2263,8 @@ jbd2_journal_initialize_fast_commit(journal_t *journal)
unsigned long long num_fc_blks;

num_fc_blks = jbd2_journal_get_num_fc_blks(sb);
- if (journal->j_last - num_fc_blks < JBD2_MIN_JOURNAL_BLOCKS)
+ if (num_fc_blks > journal->j_last ||
+ journal->j_last - num_fc_blks < JBD2_MIN_JOURNAL_BLOCKS)
return -ENOSPC;

/* Are we called twice? */

---
base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260512-fixes-2ff4f9f7d064

Best regards,
--
Junrui Luo <moonafterrain@xxxxxxxxxxx>