lookup_bdev() blindly returns inode->i_rdev without validating it.
When a FUSE filesystem exposes a root inode with S_IFBLK mode but
i_rdev == 0 (via rootmode=060000), any subsequent mount attempt using
that path as a block device source propagates dev_t 0 into the
superblock machinery. After commit 9ee5f161a4db ("fs: maintain a
global device-to-superblock table") this triggers a WARNING in
super_dev_register().
Reject i_rdev == 0 early with -ENODEV since no real block device
driver registers major 0.
Reported-by: syzbot+72fe3ea5814121fbc76e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=72fe3ea5814121fbc76e
Signed-off-by: Yun Zhou <redacted>
---
block/bdev.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/block/bdev.c b/block/bdev.c
index 28b0d40c362f..797d7f0ef609 100644
--- a/block/bdev.c
+++ b/block/bdev.c
@@ -1278,6 +1278,18 @@ int lookup_bdev(const char *pathname, dev_t *dev)
if (!may_open_dev(&path))
goto out_path_put;
+ /*
+ * Reject a block device inode with i_rdev == 0. A dev_t of 0 is
+ * never valid for a block device: no real block device driver
+ * registers major 0. Fake block device inodes (e.g. fuse with
+ * rootmode=S_IFBLK) can expose i_rdev == 0, and letting that
+ * propagate would confuse superblock lookup and trigger warnings
+ * in the device-to-superblock table (super_dev_register).
+ */
+ error = -ENODEV;
+ if (!inode->i_rdev)
+ goto out_path_put;
+
*dev = inode->i_rdev;
error = 0;
out_path_put:
--
2.43.0