From nobody Sun Feb  8 13:39:21 2026
Received: from mail-ed1-f42.google.com (mail-ed1-f42.google.com
 [209.85.208.42])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9508E3BB4A
	for <linux-kernel@vger.kernel.org>; Thu, 25 Dec 2025 18:29:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.208.42
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1766687345; cv=none;
 b=Z6tvqBptG+a+gcDB02Vrdn+iWhumOaffNPiIuT5Me2YIeeFMSMBcUYKLQ8gchvqQFK7irqp0YWHPADLWeJKe960aZkEVzboloLPyBzmxeBey0mKTZsWgGGQ38oPGWNArGz4FVMxf2cvx/Nv+EV6gha3OsAsGo015zI8RicqgF08=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1766687345; c=relaxed/simple;
	bh=SGFnN9xoHW42Fc6f2yrsD2vZ4+KikM3JfQMHRdSEFDw=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=EV8ag9YpTeGsySCvrpdfXLLhFMFgTptlCqAaWMc6mFY83eEOk7bDOwZsVeiukriS2JHuKvTaUR2T60cXyNS67nN4dBwAoOLfduEpxpSp2D7gw+XrAWlYFxIjlERZxO344Q0HB5UgL5SpxwZcdcnoryr9A0RaBLXYMuZtsjfXnu8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=dFK769Uw; arc=none smtp.client-ip=209.85.208.42
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="dFK769Uw"
Received: by mail-ed1-f42.google.com with SMTP id
 4fb4d7f45d1cf-64b8e5d1611so8254726a12.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 25 Dec 2025 10:29:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1766687342; x=1767292142;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=WyC6zqEYs6ZQvozK/zgF0HVbY+q2n5NGSr9N/m+Uu4o=;
        b=dFK769Uwospv9ENUTeCIxgkhbj93hsXXGu49zjU9b9jVRNtjX3lf8V+yrURWIs9Vac
         4RcNRpg6AW3r+78DouS3bi1xpoli4SumlDC4EOZhRA28kv+blWo5y4G898L6JMP0BsFV
         gwXbgd/ygtaBnjOOENmUkN8hLWwbWCEUNrpddyW7XbfsyUdoEuU4+fJO7lCwl52NYcOG
         ZbMFHpoGyWdSYmQXngFdb6qypbbmdaaso+qfnxwu4rS3aq1/oJeS1cvtCbVjO9PpQTxg
         69JBa8CdqyMOnkFCWQBzaHG6jvCgSSWhSQrEk+BPZqQSNn5djWDcMG49JmpbGRm8hML5
         xucg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1766687342; x=1767292142;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=WyC6zqEYs6ZQvozK/zgF0HVbY+q2n5NGSr9N/m+Uu4o=;
        b=GVznoxdXBtidabTb094WdhkoR+bvRLPNiI8fR/75TU2Aw4tLs2qPWGZGFTaEIhu0ji
         a+SrSjlmIg9vj9nclZwfdUlOv5tn1WNnjQ2jGyAOb9yD51D4B24iqwRH9Pz2N/DMYzFZ
         i4C/z2348321dLAFGPNng6UnvpS0TQwAheMYWZe3aRC464FxVA0e6eWXF/6WhJI5X3MD
         RafON31oqV8DbkDmBDbc1B10qIwerQnSTjgPDJY2loXjYcR7S9Bpw9IRjk44A8VwGDAt
         ixnSCqbBqFQaC7eIQ9vJJJYs2etnMDIn1gYHmpX2/vKW+RP3woKTxe/6CiE2WlblbgoR
         VAMA==
X-Forwarded-Encrypted: i=1;
 AJvYcCX1AGnhFNmHy/nGqbN26kBKZK2CqcYTA1fcydapgV5/gvFvwgy8fNdwxY0DJJPwFCVv/bwturGzw2ruZxo=@vger.kernel.org
X-Gm-Message-State: AOJu0Yxnnlf3mNphrr/h8YZdbKaCdP8km5I8gODPL9OE4EmTlPntFIvr
	/2Tf1DMZPe7Ppz4PmNEb9oos3i3yEme00nWfRTveB0zGZgfvm3va5Fir
X-Gm-Gg: AY/fxX7FOa1n2KO5EAzedFOZ07f60Yk/PKWmDpalxASDzcAQczslqJ7jJn+ZmFvRJdA
	xdQCqKcmMAQqXo4FSlOVMhBS7cruxf/eEl64Va0bn/dsxikwvwtGwCHSYvavMH9J0mXz6k7d1FH
	XwJVvDEWYPGjOlOWObTm9sf+mMYxbuz5qh6+LzOyuNbjF2V22U8vQkvNExZLxNltee99Ck5NNXj
	QIhHoNx8VEjdfr3tubtAX4S9PxS7uJDBd3iFwCnniU9WM8LMAFp0YYipm7kzrmAwGHG+vZq8BOi
	CSUSuau/KGlY1+aOe1g4IK+ljexWU41bKBQl494NU9eIvdUgJOczJEExL3riLbpuYi9GIa9F+jq
	lqz1XQwrJ3idP7SFxSc52Qh1iKbVlvL2KkdDwmBxGfVWYuRJL40xLOyG2qU1e2etDY6EoPVXrO7
	oRB05TthvvEJ57UQ==
X-Google-Smtp-Source: 
 AGHT+IGQM6s9qCbNVheuXGU9Agth2R5g8dBliGC2t0XlZjX3ro4bzHX9pjakXoEPsYCRWsEfHiSp9A==
X-Received: by 2002:a05:6402:1ed5:b0:64b:4720:1c23 with SMTP id
 4fb4d7f45d1cf-64b8ea4b950mr19321690a12.13.1766687341667;
        Thu, 25 Dec 2025 10:29:01 -0800 (PST)
Received: from prometheus ([85.11.110.37])
        by smtp.gmail.com with ESMTPSA id
 4fb4d7f45d1cf-64b91494dd3sm20796808a12.21.2025.12.25.10.29.01
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 25 Dec 2025 10:29:01 -0800 (PST)
From: Szymon Wilczek <swilczek.lx@gmail.com>
To: shaggy@kernel.org
Cc: jfs-discussion@lists.sourceforge.net,
	linux-kernel@vger.kernel.org,
	syzbot+a939a1121380d3212940@syzkaller.appspotmail.com,
	Szymon Wilczek <swilczek.lx@gmail.com>
Subject: [PATCH] jfs: fix array-index-out-of-bounds in dtSplitPage
Date: Thu, 25 Dec 2025 19:28:52 +0100
Message-ID: <20251225182852.508200-1-swilczek.lx@gmail.com>
X-Mailer: git-send-email 2.52.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The dtSplitPage function creates a new struct dt_lock (which wraps
struct linelock) using txLinelock. txLinelock initializes the
linelock with maxcnt =3D TLOCKLONG.

However, struct linelock defines the lv array with size 20, while
TLOCKLONG is 28. This leads to a mismatch where maxcnt allows indexing
beyond the defined array size.

This causes an array-index-out-of-bounds error when dtSplitPage or
dtMoveEntry accesses indices between 20 and 27.

Fix this by using TLOCKLONG for the lv array size in struct
linelock. This ensures the structure definition matches the maximum
possible index used in the code.

The size of struct linelock increases from 48 bytes to 64 bytes, but
this fits safely within the 72-byte struct tlock allocation path used
by txLinelock. For the txLock path (where linelock overlays
tlock.lock[]), the code explicitly sets maxcnt =3D TLOCKSHORT (20), so
access remains within the safe 48-byte limit.

Reported-by: syzbot+a939a1121380d3212940@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3Da939a1121380d3212940
Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com>
---
 fs/jfs/jfs_txnmgr.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/jfs/jfs_txnmgr.h b/fs/jfs/jfs_txnmgr.h
index ba71eb5ced56..04eac3850ff0 100644
--- a/fs/jfs/jfs_txnmgr.h
+++ b/fs/jfs/jfs_txnmgr.h
@@ -165,8 +165,8 @@ struct linelock {
 	u8 l2linesize;		/* 1: log2 of linesize */
 	/* (8) */
=20
-	struct lv lv[20];	/* 40: */
-};				/* (48) */
+	struct lv lv[TLOCKLONG];	/* 56: */
+};				/* (64) */
=20
 #define dt_lock	linelock
=20
--=20
2.52.0