lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <6960bfaa.050a0220.1c677c.03bd.GAE@google.com>
Date: Fri, 09 Jan 2026 00:43:22 -0800
From: syzbot <syzbot+b4a2af3000eaa84d95d5@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Forwarded: [PATCH] btrfs: reject devices with block size larger than PAGE_SIZE

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.

***

Subject: [PATCH] btrfs: reject devices with block size larger than PAGE_SIZE
Author: kartikey406@...il.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

When a block device has a block size larger than PAGE_SIZE, the page
cache allocates folios that are too small for the device's requirements.
This causes folio_alloc_buffers() to return NULL (loop never executes
when blocksize > folio_size), leading to a NULL pointer dereference in
create_empty_buffers() when accessing bh->b_state.

The bug was triggered by mounting a null_blk device configured with
large block size as btrfs. The crash path is:

  btrfs_read_disk_super()
    read_cache_page_gfp()        <- allocates 4KB folio
      do_read_cache_folio()
        block_read_full_folio()
          folio_create_buffers()
            create_empty_buffers()
              folio_alloc_buffers()  <- returns NULL (16KB > 4KB)
              bh->b_state            <- NULL deref crash

Add a check to reject block devices with block size larger than
PAGE_SIZE before attempting to read the superblock.

Reported-by: syzbot+b4a2af3000eaa84d95d5@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b4a2af3000eaa84d95d5
Signed-off-by: Deepanshu Kartikey <kartikey406@...il.com>
---
 fs/btrfs/volumes.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index 13c514684cfb..1d529e408f5c 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -1341,6 +1341,10 @@ struct btrfs_super_block *btrfs_read_disk_super(struct block_device *bdev,
 	struct address_space *mapping = bdev->bd_mapping;
 	int ret;
 
+	/* Reject devices with block size larger than PAGE_SIZE */
+	if (bdev_logical_block_size(bdev) > PAGE_SIZE)
+		return ERR_PTR(-EINVAL);
+
 	bytenr_orig = btrfs_sb_offset(copy_num);
 	ret = btrfs_sb_log_location_bdev(bdev, copy_num, READ, &bytenr);
 	if (ret < 0) {
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ