For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [PATCH v2] jfs: fix slab-out-of-bounds in dbAllocBits and dbFreeBits
Author: junyeonggim5@gmail.com

When the underlying loop device backend storage is dynamically changed
(e.g., via LOOP_SET_FD), JFS fails to update its internal block
allocation metadata. This causes dbAllocBits and dbFreeBits to use
stale db_agl2size, producing an out-of-range agno value that leads to
an out-of-bounds access on mp->db_agfree[agno].

Add bounds checks for agno in both dbAllocBits and dbFreeBits. If agno
is negative or exceeds MAXAG, report the error via jfs_error() and
return early to prevent the OOB access.

Reported-by: syzbot+0be47376a6acbcba7f0d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0be47376a6acbcba7f0d

Signed-off-by: Jun Yeong Kim <junyeonggim5@gmail.com>
---
 fs/jfs/jfs_dmap.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index cb3cda1390ad..c67ff5df0340 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2142,6 +2142,12 @@ static void dbAllocBits(struct bmap * bmp, struct dmap * dp, s64 blkno,
 	int size;
 	s8 *leaf;
 
+	agno = blkno >> bmp->db_agl2size;
+	if (agno < 0 || agno >= MAXAG) {
+		jfs_error(bmp->db_ipbmap->i_sb, "%s: agno %d out of range\n", __func__, agno);
+		return;
+	}
+
 	/* pick up a pointer to the leaves of the dmap tree */
 	leaf = dp->tree.stree + LEAFIND;
 
@@ -2289,6 +2295,12 @@ static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno,
 	int rc = 0;
 	int size;
 
+	agno = blkno >> bmp->db_agl2size;
+	if (agno < 0 || agno >= MAXAG) {
+		jfs_error(bmp->db_ipbmap->i_sb, "%s: agno %d out of range\n", __func__, agno);
+		return -EIO;
+	}
+
 	/* determine the bit number and word within the dmap of the
 	 * starting block.
 	 */
-- 
2.47.3

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master