From nobody Sat Feb 7 10:08:14 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 07AFC3A1E66; Wed, 4 Feb 2026 09:23:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770196981; cv=none; b=O0SXN2PcL0ArWG2LIjuQoLxjCpwhAHL4wAEX/igXceAkK5/WlGJDlLtz53CJUO/7JVTEcTPVlzrUR7jRadSbIZSiKJadYCu0xmed9l5XXd6/DmD/IRc2LNCsgiSO6bLr/NdPzWnI95UU8df4i8rfaOOLxvxj92eM7dEbod/NjOw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770196981; c=relaxed/simple; bh=xpBNHLw1ybQAm9G2QR0TrOLsIa2kQxFTbxJgZSQ8QvI=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=iO8ghjqJpm2XgYySSRJ7xua8vqmLjaTn3cA/hiyutJ5U3eGvJrwhUXZLQzbH1Y9tarnVjb7QvOjntgTJyRt6mTqzmlyUR1/zm/gZSruW340YSeyIGNfpsB0OuoJfmdgnLBgSbyzcwGZ+qVOi3fjM+eR2dyCK3J2qNKq+7uGOPUg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=c6mgO+17; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="c6mgO+17" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7A0CEC4CEF7; Wed, 4 Feb 2026 09:22:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1770196980; bh=xpBNHLw1ybQAm9G2QR0TrOLsIa2kQxFTbxJgZSQ8QvI=; h=From:To:Cc:Subject:Date:From; b=c6mgO+179ipCFsaJ3+MxLIojtjIeuMwGB9/lhzbLg2stnjYZ5nSM9o+NAy7A+gjdq 2qkudYPJEngZSWNlzsFI2m+qhiPL/l9/Ihei+igdFS2AUPsDRCeMXu4VSwGIVu7rSQ 6M0hc6zBDp2v7k4MCzpGpTFWKE9LU0WGjm1Feq2oCyjKtAfHIxoDXuzu0tjqfcaqD0 bCpK6eey8PVoZAJ5PSbbnSwY3MMQay3TOjP382smn4mI+nx8cu1VIjbGLbtC3pilD+ ej3jLhObd/3JLwEqBNdJFCOCFcparqdF98hv85zYTR06iiR9Fc/p3j4KYoj90AXgk4 qo/1kKWe2Kg+Q== From: syzbot To: jfs-discussion@lists.sourceforge.net, shaggy@kernel.org, ghandatmanas@gmail.com Cc: syzbot , Dmitry Vyukov , syzbot+1afe7ef2d0062e19eeb3@syzkaller.appspotmail.com, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH] jfs: fix array-index-out-of-bounds in dbFindLeaf Date: Wed, 4 Feb 2026 10:22:30 +0100 Message-ID: <20260204092230.2540042-1-syzbot@kernel.org> X-Mailer: git-send-email 2.53.0.rc2.204.g2597b5adb4-goog Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" UBSAN reported an array-index-out-of-bounds issue in dbFindLeaf: index 1365 is out of range for type 's8[1365]' (aka 'signed char[1365]') CPU: 0 UID: 0 PID: 6287 Comm: syz-executor268 Not tainted ... Call Trace: ... __ubsan_handle_out_of_bounds+0x115/0x140 lib/ubsan.c:455 dbFindLeaf+0x308/0x520 fs/jfs/jfs_dmap.c:2976 dbFindCtl+0x267/0x520 fs/jfs/jfs_dmap.c:1717 ... The issue is caused by an off-by-one error in the bounds check within dbFindLeaf. The function traverses the dmap tree to find free blocks. It uses a loop to iterate through the levels of the tree, calculating the index `x + n` to access the `tp->dmt_stree` array. The variable `max_size` represents the size of this array (CTLTREESIZE (1365) for dmapctl or TREESIZE (341) for dmaptree). The bounds check `if (x + n > max_size)` allows `x + n` to be equal to `max_size`. However, since the array size is `max_size`, the valid indices are `0` to `max_size - 1`. Accessing `tp->dmt_stree[max_size]` results in an array-index-out-of-bounds access. This can occur when the `dmt_height` field in the on-disk structure is corrupted or fuzzed to be larger than the fixed height supported by the `dmt_stree` array. Fix this by changing the condition to `>=3D` to correctly reject indices equal to or greater than the array size. Signed-off-by: syzbot@kernel.org Signed-off-by: Dmitry Vyukov Fixes: 22cad8bc1d36 ("jfs: fix array-index-out-of-bounds in dbFindLeaf") Reported-by: syzbot+1afe7ef2d0062e19eeb3@syzkaller.appspotmail.com To: To: "Dave Kleikamp" To: "Manas Ghandat" Cc: Cc: --- This patch was generated by Google Gemini LLM model. It was pre-reviewed and Signed-off-by a human, but please review carefully. Gerrit code review with full side-by-side diffs: https://linux-review.git.corp.google.com/c/linux/kernel/git/torvalds/linux/= +/26122 Change-Id: I92f694e86518349eafa132b2ba314d8dfff6c86e --- diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index cdfa699..18a7dc5 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -2971,7 +2971,7 @@ static int dbFindLeaf(dmtree_t *tp, int l2nb, int *le= afidx, bool is_ctl) /* sufficient free space found. move to the next * level (or quit if this is the last level). */ - if (x + n > max_size) + if (x + n >=3D max_size) return -ENOSPC; if (l2nb <=3D tp->dmt_stree[x + n]) break; base-commit: 63804fed149a6750ffd28610c5c1c98cce6bd377