From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Edward Adam Davis <eadavis@qq.com>,
syzbot+7c808908291a569281a9@syzkaller.appspotmail.com,
Dave Kleikamp <dave.kleikamp@oracle.com>,
Sasha Levin <sashal@kernel.org>,
shaggy@kernel.org, rand.sec96@gmail.com, peili.dev@gmail.com,
niharchaithanya@gmail.com, ghanshyam1898@gmail.com,
rbrasga@uci.edu, aha310510@gmail.com,
jfs-discussion@lists.sourceforge.net
Subject: [PATCH AUTOSEL 6.1 07/18] jfs: add sanity check for agwidth in dbMount
Date: Thu, 3 Apr 2025 15:08:33 -0400 [thread overview]
Message-ID: <20250403190845.2678025-7-sashal@kernel.org> (raw)
In-Reply-To: <20250403190845.2678025-1-sashal@kernel.org>
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit ddf2846f22e8575d6b4b6a66f2100f168b8cd73d ]
The width in dmapctl of the AG is zero, it trigger a divide error when
calculating the control page level in dbAllocAG.
To avoid this issue, add a check for agwidth in dbAllocAG.
Reported-and-tested-by: syzbot+7c808908291a569281a9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7c808908291a569281a9
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 11b6be462575c..5e32526174e88 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -204,6 +204,10 @@ int dbMount(struct inode *ipbmap)
bmp->db_aglevel = le32_to_cpu(dbmp_le->dn_aglevel);
bmp->db_agheight = le32_to_cpu(dbmp_le->dn_agheight);
bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth);
+ if (!bmp->db_agwidth) {
+ err = -EINVAL;
+ goto err_release_metapage;
+ }
bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart);
bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size);
if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG ||
--
2.39.5
next prev parent reply other threads:[~2025-04-03 19:09 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-03 19:08 [f2fs-dev] [PATCH AUTOSEL 6.1 01/18] f2fs: don't retry IO for corrupted data scenario Sasha Levin via Linux-f2fs-devel
2025-04-03 19:08 ` Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 02/18] page_pool: avoid infinite loop to schedule delayed worker Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 03/18] jfs: Fix uninit-value access of imap allocated in the diMount() function Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 04/18] fs/jfs: cast inactags to s64 to prevent potential overflow Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 05/18] fs/jfs: Prevent integer overflow in AG size calculation Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 06/18] jfs: Prevent copying of nlink with value 0 from disk inode Sasha Levin
2025-04-03 19:08 ` Sasha Levin [this message]
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 08/18] ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode Sasha Levin
2025-04-03 19:08 ` [f2fs-dev] [PATCH AUTOSEL 6.1 09/18] f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() Sasha Levin via Linux-f2fs-devel
2025-04-03 19:08 ` Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 10/18] ahci: add PCI ID for Marvell 88SE9215 SATA Controller Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 11/18] ext4: protect ext4_release_dquot against freezing Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 12/18] ext4: ignore xattrs past end Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 13/18] scsi: st: Fix array overflow in st_setup() Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 14/18] wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 15/18] net: vlan: don't propagate flags on open Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 16/18] tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 17/18] Bluetooth: hci_uart: fix race during initialization Sasha Levin
2025-04-03 19:08 ` [PATCH AUTOSEL 6.1 18/18] Bluetooth: qca: simplify WCN399x NVM loading Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250403190845.2678025-7-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=aha310510@gmail.com \
--cc=dave.kleikamp@oracle.com \
--cc=eadavis@qq.com \
--cc=ghanshyam1898@gmail.com \
--cc=jfs-discussion@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=niharchaithanya@gmail.com \
--cc=peili.dev@gmail.com \
--cc=rand.sec96@gmail.com \
--cc=rbrasga@uci.edu \
--cc=shaggy@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+7c808908291a569281a9@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.