Re: [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbSplit (3)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+4c1966e88c28fa96e053@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
	 xandfury@gmail.com
Subject: Re: [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbSplit (3)
Date: Sun, 28 Sep 2025 13:14:03 -0700	[thread overview]
Message-ID: <68d9970b.050a0220.1696c6.0008.GAE@google.com> (raw)
In-Reply-To: <87bjmu2vsk.fsf@gmail.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
UBSAN: shift-out-of-bounds in dbSplit

loop0: detected capacity change from 0 to 32768
------------[ cut here ]------------
UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:2641:11
shift exponent 110 is too large for 32-bit type 'int'
CPU: 0 UID: 0 PID: 5828 Comm: syz.0.16 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 ubsan_epilogue+0xa/0x40 lib/ubsan.c:233
 __ubsan_handle_shift_out_of_bounds+0x386/0x410 lib/ubsan.c:494
 dbSplit+0x1f8/0x200 fs/jfs/jfs_dmap.c:2641
 dbAdjCtl+0x34c/0xa20 fs/jfs/jfs_dmap.c:2533
 dbAllocDmap fs/jfs/jfs_dmap.c:2044 [inline]
 dbAllocNear+0x2ee/0x3d0 fs/jfs/jfs_dmap.c:1247
 dbAlloc+0x933/0xba0 fs/jfs/jfs_dmap.c:832
 ea_write+0x374/0xdd0 fs/jfs/xattr.c:232
 ea_put fs/jfs/xattr.c:619 [inline]
 __jfs_setxattr+0xa01/0x1120 fs/jfs/xattr.c:792
 __jfs_xattr_set+0xda/0x170 fs/jfs/xattr.c:941
 __vfs_setxattr+0x43c/0x480 fs/xattr.c:200
 __vfs_setxattr_noperm+0x12d/0x660 fs/xattr.c:234
 vfs_setxattr+0x16b/0x2f0 fs/xattr.c:321
 do_setxattr fs/xattr.c:636 [inline]
 filename_setxattr+0x274/0x600 fs/xattr.c:665
 path_setxattrat+0x364/0x3a0 fs/xattr.c:713
 __do_sys_lsetxattr fs/xattr.c:754 [inline]
 __se_sys_lsetxattr fs/xattr.c:750 [inline]
 __x64_sys_lsetxattr+0xbf/0xe0 fs/xattr.c:750
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f643b38e969
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f643c1ce038 EFLAGS: 00000246 ORIG_RAX: 00000000000000bd
RAX: ffffffffffffffda RBX: 00007f643b5b5fa0 RCX: 00007f643b38e969
RDX: 0000000000000000 RSI: 0000200000000200 RDI: 0000200000000040
RBP: 00007f643b410ab1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f643b5b5fa0 R15: 00007fff5f732f08
 </TASK>
---[ end trace ]---


Tested on:

commit:         8f973663 Merge tag 'trace-v6.17-rc7' of git://git.kern..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=154abf12580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=71b8dca8b0315854
dashboard link: https://syzkaller.appspot.com/bug?extid=4c1966e88c28fa96e053
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

Note: no patches were applied.

next      parent reply	other threads:[~2025-09-28 20:14 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <87bjmu2vsk.fsf@gmail.com>
2025-09-28 20:14 ` syzbot [this message]
     [not found] <0d4d0121-cf1f-4149-9887-f02f03a012ff@windriver.com>
2025-11-19  3:16 ` [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbSplit (3) syzbot
2025-04-30 21:08 syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=68d9970b.050a0220.1696c6.0008.GAE@google.com \
    --to=syzbot+4c1966e88c28fa96e053@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=xandfury@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.