From nobody Sat Apr 4 00:23:13 2026 Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9AE0638B7B3 for ; Sat, 21 Mar 2026 13:30:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774099811; cv=none; b=GoQ9fi5aqxJzd1Xxnc1t7NdcOQFZu0y8Wl+5ne1TUGXyE1Dh8cTC7dVkToAPjI0uV1iGnvxYU/FQGdsz+CzGq9YIbHwl5kLJV8CHkGox8HaBkQfhSkf32pI+AHqI7aFxVE9/NaLkxEGKwekngLSw5N/jg6pTpQEx5lk8OfbzDTA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774099811; c=relaxed/simple; bh=tmGolVkp/TM9+pKpJFOROD6t72i33UCatSiq1f2ihNc=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=K4jgQ89UcCUcfpdjdigW59Lrmc+hTURwGjJc+EGPrIilfO7Pwk9uuPbXkLN/9b7a1lBbGBTf8GzkJQb8UyruEi2d3UtKSiasQajSnfuYFIHNULu/1cJIH8v8Lie5Gc7bsOTtnxA8fERkxddIVdXPbp3Ldeqt4663RgUF7CRt9T4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Ju170NmX; arc=none smtp.client-ip=209.85.216.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Ju170NmX" Received: by mail-pj1-f46.google.com with SMTP id 98e67ed59e1d1-35a1f549e7eso865659a91.0 for ; Sat, 21 Mar 2026 06:30:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1774099809; x=1774704609; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=d/l+oCV9WgpVHhm2iD/vVQD42EVy5GMVFQcEzKHTOBU=; b=Ju170NmX7mSrCoqG5hqxjYzxp5tnqkyfwBxL3HfmMLXk9CXomsDA01zHEbtULD+nHv q6yslfW1/FbdEogbp7mjJSnSPO8FiZ7m+xsjoUhw46I1mHCyG7uokWo0lS+Oow7Ae4t3 bqUwsns/Or7K5N0OcyA2lsj5+ye+m6Oo87gJsh9iJJzTfQFECAaMfD/C5/6hNfPg0XEn wgudb2OTHJerHNmxmxP+m9y5POWOf9xNz9eQZaL207S8P4RJb40TA7hby9fZSylYUOoP xlu4N9xlO7ZxmDlkmd2WAXr7KrCnZasmziTvzhaAFSag7jnHw2XshOY74bFXg/KVllr+ D7Tw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774099809; x=1774704609; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=d/l+oCV9WgpVHhm2iD/vVQD42EVy5GMVFQcEzKHTOBU=; b=fimTnP5Qw5jdc/hs90RWbwoHvZbaN8buUFZ81XpHlmjzpweA5jKakbM/51moCuupOH WdwUYbZAYic3YJQjkejHK6DbKUdF1kBLpvC9IX15o+OjFNoGzlYGJRiGO2PdKAoJvzcu XtGyNPat6VNh/QtbFnV4mDk91NjfhaSSCwu5g8rLKWWFEZ4LHQRbtbeIczQ7O26jw+4z QyjBgY6NpKOHhyAtgJKRWQ8fTBzuqQyaiICzXZ1rJW1v2YroY+pu4jRLut7uzwKG17fC i47JxorA988WFAnlueAJbpJELm/GpQRz2JmTLWEAYv0U6XJN5HUuJJEhVwL3ULQJRyCu 2fag== X-Forwarded-Encrypted: i=1; AJvYcCVckBXFgU3HtQnyoC2UKU+wH88R6LYMFnONrHg/6hyg6HlxzS5GG+6BiJsxv1Vpr9tvXtb9fl32wRPvjng=@vger.kernel.org X-Gm-Message-State: AOJu0YyOjds5d6I+7Zg2BOJ/EXtkPlO7FE2lJtWQGJ6qPYiquv7DB2kV 67nFK/yhhxmoHEKj28zEyx4JSJvQJzFv8Wh+GjgpTDDZ6q08cFb3MCNX X-Gm-Gg: ATEYQzwYPzh0sFwc+d/5Fxte6ey67cdWbYnPxbo1cbytqN74NBo+KY6oTMVro7dL/Zi n7vk6ezmFPcQsipF2ewEZJeQcjzh5aHKvZpTb/infUEYfW3gQXkAWpm3ZSS+rjECulheLeMtukb gpInLfOBHcV87kzSBN9BIeoNpz5po0yz11xf7Q7jgYIHkVdG3rGeBymCP5pQmcCAmPLpETL8Tzk Rtqi/20hRrJnNqXDKn4T1WlZa+iGpX5ut272sNxef9Epwl/9lwYJES8ZBU20LOjFqTjfloIXsOl ao8q7ZFVcEjy+F+CNME/QSKVIoo85vuVlt4ba5klEmM8l7aTBVvFqssCahIPxVwkkZ+eXRfl1Bf UeC6qhngGux1uclEmBugqdYuCj3N6E1AMlyrKklN6qdPkhOaw3PsFMdkXV9MKLHubLXAxbOC++g LLY2G4dq3jDWL+RuuzBkVN6klXYUZAThooRiuW5fb5rt0r1n0o X-Received: by 2002:a17:903:2c10:b0:2ae:4445:f39a with SMTP id d9443c01a7336-2b0826d8056mr66512995ad.7.1774099808880; Sat, 21 Mar 2026 06:30:08 -0700 (PDT) Received: from localhost.localdomain ([175.202.18.54]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b0836b97fesm51105895ad.84.2026.03.21.06.30.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 21 Mar 2026 06:30:08 -0700 (PDT) From: Jun Yeong Kim To: shaggy@kernel.org Cc: jfs-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org, huk23@m.fudan.edu.cn, jjtan24@m.fudan.edu.cn, baishuoran@hrbeu.edu.cn, Jun Yeong Kim Subject: [PATCH] jfs: fix slab-out-of-bounds read in dbAllocBits Date: Sat, 21 Mar 2026 22:29:17 +0900 Message-ID: <20260321132917.244818-1-junyeonggim5@gmail.com> X-Mailer: git-send-email 2.47.3 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When the underlying loop device backend storage is dynamically changed (e.g., via LOOP_SET_FD), JFS fails to update its internal block allocation metadata. This causes the `dbAllocBits` function to use outdated db_agl2size information, resulting in a wrong, oversized agno value. This oversized agno leads to a slab-out-of-bounds read access when accessing mp->db_agfree[agno]. Fix this by adding a bounds check for the calculated agno. If agno is less than 0 or exceeds MAXAG, return -EIO to prevent the OOB access. Reported-by: Kun Hu Reported-by: Jiaji Qin Reported-by: Shuoran Bai Closes: https://syzkaller.appspot.com/bug?extid=3D0be47376a6acbcba7f0d Signed-off-by: Jun Yeong Kim --- fs/jfs/jfs_dmap.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index cb3cda1390ad..79816849aebb 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -2288,6 +2288,15 @@ static int dbFreeBits(struct bmap * bmp, struct dmap= * dp, s64 blkno, dmtree_t *tp =3D (dmtree_t *) & dp->tree; int rc =3D 0; int size; + + { + int check_agno =3D blkno >> bmp->db_agl2size; + + if (check_agno >=3D MAXAG || check_agno < 0) { + pr_err("JFS: agno out of bounds in dbAllocBits!\n"); + return -EIO; + } + } =20 /* determine the bit number and word within the dmap of the * starting block. --=20 2.47.3