From nobody Fri Dec 19 11:46:40 2025 Received: from out203-205-221-192.mail.qq.com (out203-205-221-192.mail.qq.com [203.205.221.192]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3116216CD33 for ; Sun, 7 Dec 2025 03:53:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=203.205.221.192 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765079592; cv=none; b=otHug6RQJxEQ9+TwAcE2wzln088MbG7zc0slI2iE8y3mo17/W/eL5/nIY9KcyF1zFo6S6wpuX+P2U//bnRiAxJFSagl1EVCbaBOKqaRC05SVgCioxJf7uZlk2cj9BfQbfk1Lcu/hPjw5a50kQbPvO7U87BUaqWlVxAU6oXcsoys= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765079592; c=relaxed/simple; bh=FRZIm84sDq8JBazQ44X3wbDUvDKOPC6m0GGOIrMNc7I=; h=Message-ID:From:To:Cc:Subject:Date:In-Reply-To:References: MIME-Version; b=blTA8Fz4SgkpDD2CD6rE2fGYX69BPJSPFlB1tIaGmeiHkh6vGWZBh78YDxYhIdh8uSYH8H/qC30DffXrceOWm+i8hoUuAvJWKXHkd5Jo7x8wTL9vBdP0VUG1bW+OQ4L9uoQhxc3AIbzcpLCmUT8TSOWRxdncHd21mZzSTI0hsSI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com; spf=pass smtp.mailfrom=qq.com; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=tYiR/ZXR; arc=none smtp.client-ip=203.205.221.192 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="tYiR/ZXR" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1765079580; bh=10yILLSMzoDjy6sBHSnJWmw1AFCpigvyI+5k+cLQcoA=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=tYiR/ZXRuAfYDULs41jSgxZ+TqgjFbxPB/FbCHzPvKRz8sgB3dBRIPhnBFfiZQEMR VopTJOE4z8m2A1wxrUuLkwgXfMdCJP7DZQbb2S9GFGbxnRr4g1qkZjALEKBjlMwzjA 2FMPUlldOGNWZgWRwSElgJlc9FLAavzn7eQMErVo= Received: from lxu-ped-host.. ([111.201.7.117]) by newxmesmtplogicsvrszb51-0.qq.com (NewEsmtp) with SMTP id D393CCB0; Sun, 07 Dec 2025 11:52:57 +0800 X-QQ-mid: xmsmtpt1765079577t8ny84bb8 Message-ID: X-QQ-XMAILINFO: NixdzcUEL01Pb2/IS+7M+kU/LI8M68JA/LhsTWwgV+o3V/zkQbro+Gux/0BUbL 5MtaH83qz9u8jhgSZwrOyPjekGILAZ3WeChWWXutBSilAgP6O2knOFSwfh5SLHSIDzC9wNqF3jJM j04PPWXgW0esSI1jI8rr7h+PCjJ8xEMG278jaBdmPuS9RYPAF/IVwsTTGux2K4CMi66NNeRr2CNv +83lLDsAZev3b/jjpzoSXi+h2LDnMX7wNR6gpZNgmbF3pctVbuMMSvqI/a6mmoIJPDAsv93pzqTM i3iYWPg6D9WrJ+No1BLpm4zlCMEzaqzkZTuCPIVoQEGPaviriVNGHv+66rLLOn0usT7pyfLCooms uUsyu+2s7mr3svXXxRTpxTSv8h1lmYyu9I6bmNt/bseVte5RvIXGWxfU+Urj09iJHmy7Li+QJe7z zAU+JBbGsu5zHXmld03AGTDl310o8eC4/xPx9g6LPqynmB5pOSzaCoaXzAdFCTEiJ1nasLf1ya7K P0uTgpOSDzylhGzd7jJksSmSSRMV74jEMjUke3x4bsYKqZpdqVjFKp10rBSvcpx9hyCUEHLlC0y9 A4BmdpX/wdW4UDR0+j/ILq8bibKSTeuSF3DK1bT97ms07YWXfGNfz7OVUd5jV4wwAnrk1+MTrEqE bbGp7LKC+dkkNv2Z0+/rrzkyPZt7pc2w45dZRaHON29uex8vpBDUDQpF1nEVwE++nfENkt4ju0gG WTf8dxnrd7tSqbz/cV6GGlT8DV7GEf69HpGGz7Fu7DvVDYQbPlYP6gIFhuYXDrrJQ1RLEE0Or75J 3VJTFNShi5wg8vWLuzGCWB6TdwoUgc3xdOpykw0ZaGAEsM1RRfakvx7Oael96VmzFqTTLfFeOxWR QiykeNbtEaj1lWUC1IjnMyN4UXGQg1dDkjhlmSFRIJY2ofjz8d546UCTOjEzKVlyayMXIob0buf+ 1PbkVQOva338PGPq6BePg2hw49etLBzgYs3Ci8VMsbly4/n5+BlVIICtBl9sbuMoFQbKK8OKQ= X-QQ-XMRINFO: OD9hHCdaPRBwq3WW+NvGbIU= From: Edward Adam Davis To: syzbot+fa603ae6b02658401ca7@syzkaller.appspotmail.com Cc: jfs-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org, shaggy@kernel.org, syzkaller-bugs@googlegroups.com Subject: [PATCH] jfs: Add a sanity check for budmin Date: Sun, 7 Dec 2025 11:52:57 +0800 X-OQ-MSGID: <20251207035256.432600-2-eadavis@qq.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <69345a63.a70a0220.38f243.0031.GAE@google.com> References: <69345a63.a70a0220.38f243.0031.GAE@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In a corrupted file system image, the budmin value is less than 0, which causes the lazycommit thread to report an out-of-bounds error when retrieving the buddy size in dbJoin [1]. Add a check for potentially negative budmin to avoid the problem in [1]. [1] UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:2795:11 shift exponent 132 is too large for 32-bit type 'int' Call Trace: dbJoin+0x2dc/0x300 fs/jfs/jfs_dmap.c:2795 dbFreeBits+0x4e1/0xdb0 fs/jfs/jfs_dmap.c:2340 dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline] dbFree+0x336/0x650 fs/jfs/jfs_dmap.c:398 txFreeMap+0x7ff/0xde0 fs/jfs/jfs_txnmgr.c:2535 txUpdateMap+0x308/0x9c0 fs/jfs/jfs_txnmgr.c:-1 txLazyCommit fs/jfs/jfs_txnmgr.c:2665 [inline] jfs_lazycommit+0x3f1/0xa10 fs/jfs/jfs_txnmgr.c:2734 Reported-by: syzbot+fa603ae6b02658401ca7@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Dfa603ae6b02658401ca7 Tested-by: syzbot+fa603ae6b02658401ca7@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis --- fs/jfs/jfs_dmap.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index cdfa699cd7c8..8f8084756e32 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -2291,6 +2291,8 @@ static int dbFreeBits(struct bmap * bmp, struct dmap = * dp, s64 blkno, int rc =3D 0; int size; =20 + if (tp->dmt_budmin < 0) + return -EUCLEAN; /* determine the bit number and word within the dmap of the * starting block. */ --=20 2.43.0