CVE-2026-53320

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: reject zero bd oblocknr in nilfs ioctl mark blocks dirty()

nilfs ioctl mark blocks dirty() uses bd oblocknr to detect dead blocks by comparing it with the current block number bd blocknr. If they differ, the block is considered dead and skipped.

However, bd oblocknr should never be 0 since block 0 typically stores the primary superblock and is never a valid GC target block. A corrupted ioctl request with bd oblocknr set to 0 causes the comparison to incorrectly match when the lookup returns -ENOENT and sets bd blocknr to 0, bypassing the dead block check and calling nilfs bmap mark() on a non-existent block. This causes nilfs btree do lookup() to return -ENOENT, triggering the WARN ON(ret == -ENOENT).

Fix this by rejecting ioctl requests with bd oblocknr set to 0 at the beginning of each iteration.

[ryusuke: slightly modified the commit message and comments for accuracy]