CVE-2026-23238

In the Linux kernel, the following vulnerability has been resolved:

romfs: check sbsetblocksize() return value

romfsfillsuper() ignores the return value of sbsetblocksize(), which can fail if the requested block size is incompatible with the block device's configuration.

This can be triggered by setting a loop device's block size larger than PAGESIZE using ioctl(LOOPSETBLOCKSIZE, 32768), then mounting a romfs filesystem on that device.

When sbsetblocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the device has logicalblocksize=32768, bdevvalidateblocksize() fails because the requested size is smaller than the device's logical block size. sbsetblocksize() returns 0 (failure), but romfs ignores this and continues mounting.

The superblock's block size remains at the device's logical block size (32768). Later, when sbbread() attempts I/O with this oversized block size, it triggers a kernel BUG in folioset_bh():

kernel BUG at fs/buffer.c:1582!
BUG_ON(size > PAGE_SIZE);

Fix by checking the return value of sbsetblocksize() and failing the mount with -EINVAL if it returns 0.