1. Patchew
  2. linux
  3. View series

[PATCH] jfs: validate budmin to prevent shift-out-of-bounds in dbAllocAG()

Sukrut Heroorkar posted 1 patch 3 months, 3 weeks ago 
fs/jfs/jfs_dmap.c | 6 ++++++
1 file changed, 6 insertions(+)
[PATCH] jfs: validate budmin to prevent shift-out-of-bounds in dbAllocAG()
Posted by Sukrut Heroorkar 3 months, 3 weeks ago 
syzbot reported "UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:1440:48
shift exponent -1 is negative".

The budmin value can have a negative value and cause shift-out-of-
-bounds from UBSAN.

Add a check on budmin immediately after reading it from the metapage,
and return an error if it's negative. This prevents UBSAN reports and
correctly treats corrupted metadata as an I/O error.

Reported-by: syzbot+4b717071f1eecb2972df@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4b717071f1eecb2972df
Tested-by: syzbot+4b717071f1eecb2972df@syzkaller.appspotmail.com
Signed-off-by: Sukrut Heroorkar <hsukrut3@gmail.com>
---
 fs/jfs/jfs_dmap.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index cdfa699cd7c8..76f4b9322034 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -1372,6 +1372,12 @@ dbAllocAG(struct bmap * bmp, int agno, s64 nblocks, int l2nb, s64 * results)
 	dcp = (struct dmapctl *) mp->data;
 	budmin = dcp->budmin;
 
+	if (unlikely(budmin < 0)) {
+		jfs_err("JFS: dmapctl corruption: budmin=%d", budmin);
+		release_metapage(mp);
+		return -EIO;
+	}
+
 	if (dcp->leafidx != cpu_to_le32(CTLLEAFIND)) {
 		jfs_error(bmp->db_ipbmap->i_sb, "Corrupt dmapctl page\n");
 		release_metapage(mp);
-- 
2.43.0
Re: [PATCH] jfs: validate budmin to prevent shift-out-of-bounds in dbAllocAG()
Posted by David Hunter 3 months, 3 weeks ago 
On 10/18/25 01:30, Sukrut Heroorkar wrote:
> Tested-by: syzbot+4b717071f1eecb2972df@syzkaller.appspotmail.com


Hey Sukrut,

Did you do any other testing other than syzbot testing?

Thanks,
David Hunter
Re: [PATCH] jfs: validate budmin to prevent shift-out-of-bounds in dbAllocAG()
Posted by sukrut heroorkar 3 months, 3 weeks ago 
Hi David,
On Sun, Oct 19, 2025 at 12:50 AM David Hunter
<david.hunter.linux@gmail.com> wrote:
>
> On 10/18/25 01:30, Sukrut Heroorkar wrote:
> > Tested-by: syzbot+4b717071f1eecb2972df@syzkaller.appspotmail.com
>
>
> Hey Sukrut,
>
> Did you do any other testing other than syzbot testing?
I also used the C reproducer to test my fix locally with QEMU and it
no longer triggers error. Do you recommend any
other tests? Please let me know.
Thanks,
Sukrut.
> Thanks,
> David Hunter
Re: [PATCH] jfs: validate budmin to prevent shift-out-of-bounds in dbAllocAG()
Posted by David Hunter 3 months, 2 weeks ago 
On 10/19/25 05:42, sukrut heroorkar wrote:
> Hi David,
> On Sun, Oct 19, 2025 at 12:50 AM David Hunter
> <david.hunter.linux@gmail.com> wrote:
>>
>> On 10/18/25 01:30, Sukrut Heroorkar wrote:
>>> Tested-by: syzbot+4b717071f1eecb2972df@syzkaller.appspotmail.com
>>
>>
>> Hey Sukrut,
>>
>> Did you do any other testing other than syzbot testing?
> I also used the C reproducer to test my fix locally with QEMU and it
> no longer triggers error. Do you recommend any
> other tests? Please let me know.
> Thanks,
> Sukrut.
>> Thanks,
>> David Hunter


Hey Sukrut,

You always need to do testing to ensure that your code does not bring in
regressions into the kernel. If doing things to file systems, xfstests
is at least the basic testing that you should do. You can also search to
see if any other publicly tools are available and/or applicable, but
xfstests are the minimum.

Thanks,
David Hunter

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.