From nobody Mon Feb  9 08:30:18 2026
Received: from out162-62-57-137.mail.qq.com (out162-62-57-137.mail.qq.com
 [162.62.57.137])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 451062DC774
	for <linux-kernel@vger.kernel.org>; Thu,  8 Jan 2026 14:45:55 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=162.62.57.137
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1767883559; cv=none;
 b=eiXYsuVZsUjVCQiN7us0npNJLW/1gYgt8zPTu+PkPuoAJ/vtAcwO+FX5SlF+PM5DLSEpx6pxyVsMYnFyjPtZ5obhfGUnGkxfdpm7eh/41T28vxz+s3PyrEKtOc/UXes/8Sn8dji10mm3mgYsKwKIQnTyzvrD5ijS+VhobSGHcTg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1767883559; c=relaxed/simple;
	bh=hPJXmgPk5n1xttR8XnPyefjmfRl6hVg5Fdi5sNsMhlA=;
	h=Message-ID:From:To:Cc:Subject:Date:In-Reply-To:References:
	 MIME-Version;
 b=UChKNC2fxPSMwpe57JghRyBXBovCKkW4Xamfw5KV+NcPXiU9em0w6bmfL9USykOytJTeXOEe+u6NCKWmbBWINfex+/Z6kmuvS33Ryu60Q82vte0BFTuXI6I8YboRCndNq56fegtSa4RrFAkcDPcnJE18khA1qx57M5V9V1dkyC0=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=qq.com;
 spf=pass smtp.mailfrom=qq.com;
 dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=JzfVZ5MP;
 arc=none smtp.client-ip=162.62.57.137
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=qq.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=qq.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="JzfVZ5MP"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
	t=1767883545; bh=DEYlDv7IlB4kOzLSK9r3FPpqIBINDBa7y+bEY8dfrJA=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=JzfVZ5MPJszlk9D3RFsWARG5hXFyDJHDR/MVSyHHcwrF4dmFsup56Db8atiHqDXdd
	 e1n8rHXBhiBUIWFuyZGEKHJ0Rzu1+FXNwgRBMfS8sVx44lycQaj62hHU+WufRJKu7m
	 bTYUcKTb4zVRdBM7wbvkO5GoIpMaXdWvtKP1aY38=
Received: from lxu-ped-host.. ([114.244.57.24])
	by newxmesmtplogicsvrszb51-0.qq.com (NewEsmtp) with SMTP
	id B6B95C9E; Thu, 08 Jan 2026 22:45:43 +0800
X-QQ-mid: xmsmtpt1767883543tk2uqk6jr
Message-ID: <tencent_5E4F8F8DEFA5930D909222DDE35DCE192A07@qq.com>
X-QQ-XMAILINFO: NPa98HB0c72NwmRa8x9ohsclaMm7BNmj2FPq0WGYd89SttfO7bG+zF7xnC26Mu
	 3u4yhkYQEZ7Da9fInp5TWVb8ni8BGCsF1xjzEU8ZRw75F/U2HL8t+Jv9WH4w8L2IwmzndEF5OyyC
	 0V9gsH3b0H+VpB5RaUvaZHpPP3ELAy9ODg8sYOTlCU351bFthhLZ3ttXmusZsJpAkYJHCR8gAp6U
	 mfkopzSWLzag9pfsyeuxJBWExFxFkRgV58m5H3iba3ggM0bsU7pdL9/ZVwi6dHng2InJxwjGAnkq
	 8mQHYpFC2V9yh/Y+/3clfk2vh/SPrbKtiGtqLli8Bc01o/JsQhkHEXSZUjpYwjmdk+HgQ35XsC4b
	 NIqAui8EIzekKWdn2s99pcyrX/+baBauILHwCj8ytsM8sTDGqOpE68zJjfaypOGvKsUslN8AEf7K
	 Uk2NZs8ljiKYDqXsAvFBaf8DUv6eAQHZ/IC4DR/m/KOTzZ0Vb2NjmwCtCYL24MSWCS8tZ3uYMqHL
	 +gHm4zJ8xjBkF1voaSHqUKvrQWWlxI2uTGxv5RwPUyUY8Qfm4gWvUXIsKqwWqfiQca3Zkrr34WZH
	 iIOT7Ec32YrWdTLC4E59yz7ySeNopWDTRzfhwqWCCHuV1jEtWQntPO44iMHhHuw4LVO3h6JeFC1d
	 7zTrXVOQmMWGlC3GrzVGq5Ti0ntr0qnvWR6863bWWpUtPHx8l2yQfRY6MYh+eG1TxswhfC0l8WSS
	 eUrk6pkhWHqM+D4nZPqdKcPBiSm6Omqa//FRH15lB1tPcEjqINizPKUfIU74cchK7xSCD0zjjwV4
	 c1F125rSiWZpMsiZ4Qm7vhhplnFb4zDX68StWCr1RamPq/XGzdTFRHV3A3vJTYtmWZn1VjXxm4Hm
	 JVCN8vbpdUaz4vy988yuCUd/LxEVp3p2TvPKw0tpq3elswlpf/F9hTII87MBSG20i3FarP+Ck/Ic
	 5M00BFc4YVoBNzJYODJZudqXfI2/giBzdJRlMYTYgJL4dblyF6WLOHxJvMyNq3OYUFZHjPusG3GC
	 COcIZi2w==
X-QQ-XMRINFO: OWPUhxQsoeAVwkVaQIEGSKwwgKCxK/fD5g==
From: Edward Adam Davis <eadavis@qq.com>
To: syzbot+1afe7ef2d0062e19eeb3@syzkaller.appspotmail.com
Cc: jfs-discussion@lists.sourceforge.net,
	linux-kernel@vger.kernel.org,
	shaggy@kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: [PATCH] jfs: fix oob in dbFindLeaf
Date: Thu,  8 Jan 2026 22:45:44 +0800
X-OQ-MSGID: <20260108144543.518312-2-eadavis@qq.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <695faa63.050a0220.1c677c.039a.GAE@google.com>
References: <695faa63.050a0220.1c677c.039a.GAE@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The initial value of x is ti, and there is a potential risk that the
value of ti might equal max_size.  The existing boundary checks have
been improved to prevent the out-of-bounds (OOB) issue [1] reported
by syzbot.

[1]
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2976:16
index 1365 is out of range for type 's8[1365]' (aka 'signed char[1365]')
Call Trace:
 dbFindLeaf+0x308/0x520 fs/jfs/jfs_dmap.c:2976
 dbFindCtl+0x267/0x520 fs/jfs/jfs_dmap.c:1717
 dbAllocAny fs/jfs/jfs_dmap.c:1527 [inline]

Reported-by: syzbot+1afe7ef2d0062e19eeb3@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3D1afe7ef2d0062e19eeb3
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/jfs/jfs_dmap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index cdfa699cd7c8..18a7dc58f289 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2971,7 +2971,7 @@ static int dbFindLeaf(dmtree_t *tp, int l2nb, int *le=
afidx, bool is_ctl)
 			/* sufficient free space found.  move to the next
 			 * level (or quit if this is the last level).
 			 */
-			if (x + n > max_size)
+			if (x + n >=3D max_size)
 				return -ENOSPC;
 			if (l2nb <=3D tp->dmt_stree[x + n])
 				break;
--=20
2.43.0