In the Linux kernel, the following vulnerability has been resolved:
nilfs2: reject zero bdoblocknr in nilfsioctlmarkblocks_dirty()
nilfsioctlmarkblocksdirty() uses bdoblocknr to detect dead blocks by comparing it with the current block number bdblocknr. If they differ, the block is considered dead and skipped.
However, bdoblocknr should never be 0 since block 0 typically stores the primary superblock and is never a valid GC target block. A corrupted ioctl request with bdoblocknr set to 0 causes the comparison to incorrectly match when the lookup returns -ENOENT and sets bdblocknr to 0, bypassing the dead block check and calling nilfsbmapmark() on a non-existent block. This causes nilfsbtreedolookup() to return -ENOENT, triggering the WARN_ON(ret == -ENOENT).
Fix this by rejecting ioctl requests with bd_oblocknr set to 0 at the beginning of each iteration.
[ryusuke: slightly modified the commit message and comments for accuracy]
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53320.json",
"cna_assigner": "Linux"
}