When the underlying loop device backend storage is
dynamically changed (e.g., via LOOP_SET_FD), JFS fails
to update its internal block allocation metadata.
This causes the `dbAllocBits` function to use outdated
db_agl2size information, resulting in a wrong,
oversized agno value.

This oversized agno leads to a slab-out-of-bounds read access when
accessing mp->db_agfree[agno].

Fix this by adding a bounds check for the calculated agno. If agno
is less than 0 or exceeds MAXAG, return -EIO to prevent the OOB access.

Reported-by: Kun Hu <huk23@m.fudan.edu.cn>
Reported-by: Jiaji Qin <jjtan24@m.fudan.edu.cn>
Reported-by: Shuoran Bai <baishuoran@hrbeu.edu.cn>
Closes: https://syzkaller.appspot.com/bug?extid=0be47376a6acbcba7f0d
Signed-off-by: Jun Yeong Kim <junyeonggim5@gmail.com>
---
 fs/jfs/jfs_dmap.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index cb3cda1390ad..79816849aebb 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2288,6 +2288,15 @@ static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno,
 	dmtree_t *tp = (dmtree_t *) & dp->tree;
 	int rc = 0;
 	int size;
+
+	{
+		int check_agno = blkno >> bmp->db_agl2size;
+
+		if (check_agno >= MAXAG || check_agno < 0) {
+			pr_err("JFS: agno out of bounds in dbAllocBits!\n");
+			return -EIO;
+		}
+	}
 
 	/* determine the bit number and word within the dmap of the
 	 * starting block.
-- 
2.47.3