From nobody Fri Apr  3 16:05:29 2026
Received: from xmbghk7.mail.qq.com (xmbghk7.mail.qq.com [43.163.128.43])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 24CD038F65B;
	Tue, 24 Mar 2026 08:51:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=43.163.128.43
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774342322; cv=none;
 b=Opy3gvQaJJz/Zd+OXj91NdyHtUkKx8wgDOGGLdMIKOIyIwL61FTNHmDQqEBuiSpL5kYDvh0XX40kF2hHOKZdYkXrkYkL6wo7jlHf4glDulbnCWb5O5TzJ7fRPrdfSULtxq7B9CjhbREHfq42nt0fhw0BIDsvWehIAqzs2fPrjDM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774342322; c=relaxed/simple;
	bh=/fJ9v5fUXSVv6fSHN7ZQeOWJ5CUJvDIEBHqUZdlB/3k=;
	h=Message-ID:From:To:CC:Subject:Date:Content-Type:MIME-Version;
 b=BGdRp5AvRhfbRBhYHD7t9GxHck/9bR+W8bmy5XXF+YxSmcIbhJQE5eKcyd9h9NsNM222gYFKydLd538EBTYl2Ded4DheqL+yY7PdLCATaq20eco9f5o8BGILJqsRMi8N9MojlHXqCaUJ2cg6ZV0eqmvI1XakeeODG2kF/zuu67Y=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=qq.com;
 spf=pass smtp.mailfrom=qq.com;
 dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=UdS7BA1x;
 arc=none smtp.client-ip=43.163.128.43
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=qq.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=qq.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="UdS7BA1x"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
	t=1774342305; bh=RKB/toyE3fIkPlfhuqCKbpNI2kcxXqkPXNxFpTRxA5E=;
	h=From:To:CC:Subject:Date;
	b=UdS7BA1xio8dsP/7YFAFh9O/+7oVrrnfkEiDCWBtZ+UgKWW/ZBP1qRzr+AYj6lwEp
	 FVxWXWAaZijdA6DjchuYKwxJ07jfuaiX4XuSLR3piBailGBPJHb9CBXVZJU9OnGQeY
	 VlaK9syyuSZXbwFYwe8UEZX2128+ek3kvKrMgWUk=
Received: from SE3PR03MB9514.apcprd03.prod.outlook.com
 ([2603:1046:c07:1021::5])
	by newxmesmtplogicsvrsza73-0.qq.com (NewEsmtp) with SMTP
	id CEB08447; Tue, 24 Mar 2026 16:51:43 +0800
X-QQ-mid: xmsmtpt1774342303twljyfwyk
Message-ID: <tencent_13981D81EAB7B312D26CA3A023CCF74F6406@qq.com>
X-QQ-XMAILINFO: MllZffuBkEb53f5C+uuig2aqI7XmSTkE8MdKbL1L7VmY+Xo1esZMzaQt+5fVpc
	 DzScAjP8EiTKODL7Rm/oyMO5bQCqpbD2rx93+37xLPR+DI7L338v11cITDU2O9Sj4ngIK6HUH+Jo
	 bQrRKKITwLwvQfxVn+PUgMEeXhwfjUD9LMqf6zAFZoQzylTiwCA+2NjyifGsr1NlXyYQZfTuBseC
	 jqPjABdSzlrfSih/w5grZfLQGNBlRjhgeN4+5rQwkzDyzd74g7FvRduVVKk+xoAMzp52/o4tcL1c
	 ee7AVWCdh6NVQEFcl59qAvkKqqy5uvDJGpUj/h7wYCD9talPiCAwvi5wCjucjTfoI60+RGsoPLS+
	 w6jgMhz4s/FPnVvaE6OZD/yloO0l+al9NBQgX0cMIFXfiSwjrZLal0xekzOI0oTyEVNggpBsR7b7
	 0VhthsdurthS4HyYaD+HVNEbX6PnvfiOWSlGoKY8BEL3RcNHrwzH5cFNvKYSsu/f58wDGEX8lZ3k
	 q7Xx9csBem9xNOHRwTlw5VT10/qPjL3KejYBP9RmUc4WJfRSob8N0Goljs7XproSkHzoOtOR9iSx
	 3JBo6xuIJinKWXz79waV7KmGIcBoDGFdoqYrGrF9nQLQ63qYDi7jcTTjq1gArjfwb9KrMjzmBVHX
	 DTmdUq0fHTx1zwvvrMFeM5U/JgqZXWJEwJEZakNc8RYekLaZ7oscXxSvfvfkoqtgoOpFLnHfSzUr
	 s5DxSm/1GVnh94J3JGpwUViAjoSM6BptdUVMCkN6lP5aVsEoNkelgvG+hFgLdoBdIiItENAdhRRx
	 e81o2ol0o6+GrdW3jHtHCia+y/r36k+zYQjHc/0TI4vLHcQS+C7E78bfbQOb4QehxHMuRVbhf9u6
	 ZmsBdhJez7kkxEDPlUmKCICNjUj/4QHyShi/zWMK2MVIJzeqx1cBgK381CI0+Wvi35jK+TORETHV
	 LHxZs2WglDtilAIwVk3HXQCjsCAaSFYZ6EICV3IfExdie6RWPBwSAB3wiJaVN8acjeeFJOh6+ezW
	 2jnsJuP+KSkRD7XOvWe9A0s50DDf3lYIG6sGJIqwc9iy7RUtEK5H1jIc1PHTP6P0X1Qa6+ZTjuQK
	 stew5i3V0XISGh3Eg=
X-QQ-XMRINFO: MSVp+SPm3vtSI1QTLgDHQqIV1w2oNKDqfg==
From: "1016331059@qq.com" <1016331059@qq.com>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>
CC: "mark@fasheh.com" <mark@fasheh.com>, "jlbec@evilplan.org"
	<jlbec@evilplan.org>, "joseph.qi@linux.alibaba.com"
	<joseph.qi@linux.alibaba.com>, "linux-kernel@vger.kernel.org"
	<linux-kernel@vger.kernel.org>, "syzkaller-bugs@googlegroups.com"
	<syzkaller-bugs@googlegroups.com>,
	"syzbot+c6104ecfe56e0fd6b616@syzkaller.appspotmail.com"
	<syzbot+c6104ecfe56e0fd6b616@syzkaller.appspotmail.com>
Subject: [PATCH 5.15.y] ocfs2: fix shift-out-of-bounds UBSAN bug in
 ocfs2_verify_volume
Thread-Topic: [PATCH 5.15.y] ocfs2: fix shift-out-of-bounds UBSAN bug in
 ocfs2_verify_volume
Thread-Index: AQHcu2rhkliTgaZuR0Wz0ayh3cQN7w==
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Tue, 24 Mar 2026 08:51:42 +0000
X-OQ-MSGID: 
	<SE3PR03MB95141C73425CC77214D5B702A948A@SE3PR03MB9514.apcprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator: 
X-MS-Exchange-Organization-RecordReviewCfmType: 0
msip_labels: 
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"

This patch is a backport to stable 5.15.y of upstream commit
7f86b2942791012ac7b4c481d1f84a58fd2fbcfc
("ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()").

This patch addresses a shift-out-of-bounds error in the
ocfs2_verify_volume() function. The bug can be triggered by an invalid
s_clustersize_bits value, which causes the expression

  1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits)

to exceed the valid shift range of a 32-bit integer, leading to an
out-of-bounds shift reported by UBSAN.

Instead of performing the invalid shift while printing the error message,
log the raw s_clustersize_bits value directly.

This backport was also tested by syzbot on Linux 5.15.201
(commit 3330a8d33e086f76608bb4e80a3dc569d04a8814 in the stable 5.15.y
tree), and the reproducer did not trigger any issue.

[ Upstream commit 7f86b2942791012ac7b4c481d1f84a58fd2fbcfc ]

Link: https://lkml.kernel.org/r/ZsPvwQAXd5R/jNY+@hostname
Reported-by: syzbot <syzbot+f3fff775402751ebb471@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=3Df3fff775402751ebb471
Tested-by: syzbot <syzbot+f3fff775402751ebb471@syzkaller.appspotmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Link: https://syzkaller.appspot.com/bug?extid=3Dc6104ecfe56e0fd6b616
Tested-by: syzbot <syzbot+c6104ecfe56e0fd6b616@syzkaller.appspotmail.com>
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
Signed-off-by: Changjian Liu <driz2t@qq.com>
---
 fs/ocfs2/super.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
index bb174009206e..ae2ba616756d 100644
--- a/fs/ocfs2/super.c
+++ b/fs/ocfs2/super.c
@@ -2369,8 +2369,8 @@ static int ocfs2_verify_volume(struct ocfs2_dinode *d=
i,
 			     (unsigned long long)bh->b_blocknr);
 		} else if (le32_to_cpu(di->id2.i_super.s_clustersize_bits) < 12 ||
 			    le32_to_cpu(di->id2.i_super.s_clustersize_bits) > 20) {
-			mlog(ML_ERROR, "bad cluster size found: %u\n",
-			     1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits));
+			mlog(ML_ERROR, "bad cluster size bit found: %u\n",
+			     le32_to_cpu(di->id2.i_super.s_clustersize_bits));
 		} else if (!le64_to_cpu(di->id2.i_super.s_root_blkno)) {
 			mlog(ML_ERROR, "bad root_blkno: 0\n");
 		} else if (!le64_to_cpu(di->id2.i_super.s_system_dir_blkno)) {
--=20
2.43.0