From nobody Fri Apr  3 03:00:11 2026
Received: from cstnet.cn (smtp81.cstnet.cn [159.226.251.81])
	(using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B00ED279329
	for <linux-kernel@vger.kernel.org>; Wed, 25 Mar 2026 02:26:55 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=159.226.251.81
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774405617; cv=none;
 b=lUixyRYeOT+gTSPg2nz58EpaiAdJf35CqdaV2U81K6FsS7/2d6Bm2Ub5Nt2Bvu96UNpHbvNRcSrqdXPMQ3Gbx816uHpyrMP9jlVY/gJstuQ8Yf7K0iIRYJLhm86z/1Q8W4baiZVGdhpKfF8TzXJSyDG3D/zJZU+PBRemuOoqivQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774405617; c=relaxed/simple;
	bh=hTCc9yvIl0QSxVa0MwUwks2wZeEFx2F1VyvaDZmtg9o=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=lZWopFXu+q/aNXC+ecpiZ6SZ0nVeE3bAuJGPm9NiakuwdXKtWwyWLUrcGQ6GxBS77oIsrMyp/bNTUiSHf4W0cNjrF0nlS5mBw2KQn6S4EF23uc1OfTd+c9OojmtPRkdggYZAQbzrHhu34QqI3hRdvFoJgFFgKOo9l1oyY6q1CxU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=iscas.ac.cn;
 spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.81
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=iscas.ac.cn
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=iscas.ac.cn
Received: from localhost.localdomain (unknown [111.196.245.197])
	by APP-03 (Coremail) with SMTP id rQCowAC31dzjR8NpylO7Cw--.1217S2;
	Wed, 25 Mar 2026 10:26:43 +0800 (CST)
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
To: Dave Kleikamp <shaggy@kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>,
	Aditya Dutt <duttaditya18@gmail.com>,
	Zheng Yu <zheng.yu@northwestern.edu>,
	jfs-discussion@lists.sourceforge.net,
	linux-kernel@vger.kernel.org,
	pengpeng@iscas.ac.cn
Subject: [PATCH] jfs: bound readdir name expansion to the dirent page
Date: Wed, 25 Mar 2026 10:26:43 +0800
Message-ID: <20260325022643.769-1-pengpeng@iscas.ac.cn>
X-Mailer: git-send-email 2.50.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-CM-TRANSID: rQCowAC31dzjR8NpylO7Cw--.1217S2
X-Coremail-Antispam: 1UD129KBjvJXoW7Zry3WFW3KryrZw1rJr4UCFg_yoW8WF18pF
	4ktF1q9rs7Jr47AwnrX3WkZ34Sk34kCa1jgw40y34S9w1FqrnI9FyFkF10qw1UWr4Fgr17
	Zan8ta4UAFyjvaDanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
	9KBjDU0xBIdaVrnRJUUUkC14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0
	rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02
	1l84ACjcxK6xIIjxv20xvE14v26ryj6F1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4j
	6F4UM28EF7xvwVC2z280aVAFwI0_Cr1j6rxdM28EF7xvwVC2z280aVCY1x0267AKxVWxJr
	0_GcWle2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E
	2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJV
	W8JwACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lc7CjxVAaw2AFwI0_
	JF0_Jw1l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67
	AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r126r1DMIIY
	rxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14
	v26r1j6r4UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI42IY6I8E87Iv67AKxVWUJVW8
	JwCI42IY6I8E87Iv6xkF7I0E14v26r4j6r4UJbIYCTnIWIevJa73UjIFyTuYvjfUYCJmUU
	UUU
X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/
Content-Type: text/plain; charset="utf-8"

jfs_readdir() checks the remaining dirent page space with d->namlen + 1
before calling jfs_strfromUCS_le(). That is too small once a codepage is
active, because each UCS-2 character can expand to up to
NLS_MAX_CHARSET_SIZE output bytes. The current check also starts from the
dirent base rather than the name field, so it does not account for the
dirent header bytes already consumed on the page.

Compute the worst-case number of output bytes for the directory name and
reject entries whose expanded name would run past the end of the
one-page dirent buffer before converting them.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 fs/jfs/jfs_dtree.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
index 9ab3f2fc61d1..aacfbe91b256 100644
--- a/fs/jfs/jfs_dtree.c
+++ b/fs/jfs/jfs_dtree.c
@@ -2732,6 +2732,7 @@ int jfs_readdir(struct file *file, struct dir_context=
 *ctx)
 	struct ldtentry *d;
 	struct dtslot *t;
 	int d_namleft, len, outlen;
+	size_t max_name_bytes;
 	unsigned long dirent_buf;
 	char *name_ptr;
 	u32 dir_index;
@@ -2913,8 +2914,12 @@ int jfs_readdir(struct file *file, struct dir_contex=
t *ctx)
=20
 			d =3D (struct ldtentry *) & p->slot[stbl[i]];
=20
-			if (((long) jfs_dirent + d->namlen + 1) >
-			    (dirent_buf + PAGE_SIZE)) {
+			max_name_bytes =3D d->namlen;
+			if (codepage)
+				max_name_bytes *=3D NLS_MAX_CHARSET_SIZE;
+
+			if ((char *)jfs_dirent->name + max_name_bytes + 1 >
+			    (char *)dirent_buf + PAGE_SIZE) {
 				/* DBCS codepages could overrun dirent_buf */
 				index =3D i;
 				overflow =3D 1;
--=20
2.50.1 (Apple Git-155)