CVE-2026-23238

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> romfs: check sb_set_blocksize() return value<br /> <br /> romfs_fill_super() ignores the return value of sb_set_blocksize(), which<br /> can fail if the requested block size is incompatible with the block<br /> device&amp;#39;s configuration.<br /> <br /> This can be triggered by setting a loop device&amp;#39;s block size larger than<br /> PAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs<br /> filesystem on that device.<br /> <br /> When sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the<br /> device has logical_block_size=32768, bdev_validate_blocksize() fails<br /> because the requested size is smaller than the device&amp;#39;s logical block<br /> size. sb_set_blocksize() returns 0 (failure), but romfs ignores this and<br /> continues mounting.<br /> <br /> The superblock&amp;#39;s block size remains at the device&amp;#39;s logical block size<br /> (32768). Later, when sb_bread() attempts I/O with this oversized block<br /> size, it triggers a kernel BUG in folio_set_bh():<br /> <br /> kernel BUG at fs/buffer.c:1582!<br /> BUG_ON(size &gt; PAGE_SIZE);<br /> <br /> Fix by checking the return value of sb_set_blocksize() and failing the<br /> mount with -EINVAL if it returns 0.