[syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbJoin (2)

[syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbJoin (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    4a26e7032d7d Merge tag 'core-bugs-2025-12-01' of git://git..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11ea9512580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=dd808c444ce84c8
dashboard link: https://syzkaller.appspot.com/bug?extid=fa603ae6b02658401ca7
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14dbe192580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=112d92b4580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a40b77c72522/disk-4a26e703.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b2b4fa9b2036/vmlinux-4a26e703.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7105f0502b78/bzImage-4a26e703.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/1f7c2e37ce13/mount_0.gz
  fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=170ab512580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+fa603ae6b02658401ca7@syzkaller.appspotmail.com

------------[ cut here ]------------
UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:2795:11
shift exponent 132 is too large for 32-bit type 'int'
CPU: 0 UID: 0 PID: 123 Comm: jfsCommit Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 ubsan_epilogue+0xa/0x40 lib/ubsan.c:233
 __ubsan_handle_shift_out_of_bounds+0x386/0x410 lib/ubsan.c:494
 dbJoin+0x2dc/0x300 fs/jfs/jfs_dmap.c:2795
 dbFreeBits+0x4e1/0xdb0 fs/jfs/jfs_dmap.c:2340
 dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline]
 dbFree+0x336/0x650 fs/jfs/jfs_dmap.c:398
 txFreeMap+0x7ff/0xde0 fs/jfs/jfs_txnmgr.c:2535
 txUpdateMap+0x308/0x9c0 fs/jfs/jfs_txnmgr.c:-1
 txLazyCommit fs/jfs/jfs_txnmgr.c:2665 [inline]
 jfs_lazycommit+0x3f1/0xa10 fs/jfs/jfs_txnmgr.c:2734
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x52d/0xa60 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
---[ end trace ]---
Kernel panic - not syncing: UBSAN: panic_on_warn set ...
CPU: 0 UID: 0 PID: 123 Comm: jfsCommit Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x99/0x250 lib/dump_stack.c:120
 vpanic+0x237/0x6d0 kernel/panic.c:489
 panic+0xb9/0xc0 kernel/panic.c:626
 check_panic_on_warn+0x89/0xb0 kernel/panic.c:376
 __ubsan_handle_shift_out_of_bounds+0x386/0x410 lib/ubsan.c:494
 dbJoin+0x2dc/0x300 fs/jfs/jfs_dmap.c:2795
 dbFreeBits+0x4e1/0xdb0 fs/jfs/jfs_dmap.c:2340
 dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline]
 dbFree+0x336/0x650 fs/jfs/jfs_dmap.c:398
 txFreeMap+0x7ff/0xde0 fs/jfs/jfs_txnmgr.c:2535
 txUpdateMap+0x308/0x9c0 fs/jfs/jfs_txnmgr.c:-1
 txLazyCommit fs/jfs/jfs_txnmgr.c:2665 [inline]
 jfs_lazycommit+0x3f1/0xa10 fs/jfs/jfs_txnmgr.c:2734
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x52d/0xa60 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Kernel Offset: disabled


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbJoin (2)

[Edward Adam Davis]

#syz test

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index cdfa699cd7c8..7c35e69cafb9 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2291,6 +2291,8 @@ static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno,
 	int rc = 0;
 	int size;
 
+	if (tp->dmt_budmin < 0)
+		return -EUCLEAN;
 	/* determine the bit number and word within the dmap of the
 	 * starting block.
 	 */

Re: [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbJoin (2)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+fa603ae6b02658401ca7@syzkaller.appspotmail.com
Tested-by: syzbot+fa603ae6b02658401ca7@syzkaller.appspotmail.com

Tested on:

commit:         37bb2e72 Merge tag 'staging-6.19-rc1' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=135f26c2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=34836e56fe7fb6c8
dashboard link: https://syzkaller.appspot.com/bug?extid=fa603ae6b02658401ca7
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=145726c2580000

Note: testing is done by a robot and is best-effort only.

[PATCH] jfs: Add a sanity check for budmin

[Edward Adam Davis]

In a corrupted file system image, the budmin value is less than 0,
which causes the lazycommit thread to report an out-of-bounds error
when retrieving the buddy size in dbJoin [1].

Add a check for potentially negative budmin to avoid the problem in [1].

[1]
UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:2795:11
shift exponent 132 is too large for 32-bit type 'int'
Call Trace:
 dbJoin+0x2dc/0x300 fs/jfs/jfs_dmap.c:2795
 dbFreeBits+0x4e1/0xdb0 fs/jfs/jfs_dmap.c:2340
 dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline]
 dbFree+0x336/0x650 fs/jfs/jfs_dmap.c:398
 txFreeMap+0x7ff/0xde0 fs/jfs/jfs_txnmgr.c:2535
 txUpdateMap+0x308/0x9c0 fs/jfs/jfs_txnmgr.c:-1
 txLazyCommit fs/jfs/jfs_txnmgr.c:2665 [inline]
 jfs_lazycommit+0x3f1/0xa10 fs/jfs/jfs_txnmgr.c:2734

Reported-by: syzbot+fa603ae6b02658401ca7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fa603ae6b02658401ca7
Tested-by: syzbot+fa603ae6b02658401ca7@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/jfs/jfs_dmap.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index cdfa699cd7c8..8f8084756e32 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2291,6 +2291,8 @@ static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno,
 	int rc = 0;
 	int size;
 
+	if (tp->dmt_budmin < 0)
+		return -EUCLEAN;
 	/* determine the bit number and word within the dmap of the
 	 * starting block.
 	 */
-- 
2.43.0

Forwarded: [PATCH] jfs: fix shift-out-of-bounds in dbJoin

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] jfs: fix shift-out-of-bounds in dbJoin
Author: tristmd@gmail.com

From: Tristan Madani <tristan@talencesecurity.com>

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


dbJoin() computes a buddy size via BUDSIZE(newval, budmin), which
expands to 1 << (newval - budmin).  If the on-disk tree metadata is
corrupted such that the leaf values or free counts are inconsistent,
newval can exceed budmin + 31, causing a shift-out-of-bounds:

  UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:2882:11
  shift exponent 132 is too large for 32-bit type 'int'

The maximum meaningful newval for a given tree is budmin + l2nleafs,
since BUDSIZE at that point equals nleafs and the while loop would not
execute.  Any value beyond that indicates corrupted metadata.

Add a sanity check before the BUDSIZE call: if newval exceeds
budmin + l2nleafs, return -EIO.

Reported-by: syzbot+fa603ae6b02658401ca7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fa603ae6b02658401ca7
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/jfs/jfs_dmap.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index XXXXXXX..XXXXXXX 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2864,6 +2864,14 @@ static int dbJoin(dmtree_t *tp, int leafno, int newval, bool is_ctl)
 	if (newval >= tp->dmt_budmin) {
 		/* pickup a pointer to the leaves of the tree.
 		 */
+
+		/* Validate newval to prevent shift-out-of-bounds in
+		 * BUDSIZE.  The maximum meaningful value is budmin +
+		 * l2nleafs; anything beyond indicates corrupted metadata.
+		 */
+		if (newval > tp->dmt_budmin +
+		    le32_to_cpu(tp->dmt_l2nleafs))
+			return -EIO;
 		leaf = tp->dmt_stree + le32_to_cpu(tp->dmt_leafidx);

 		/* try to join the specified leaf into a large binary
--
2.39.5

Forwarded: Re: [syzbot] UBSAN: shift-out-of-bounds in dbJoin

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] UBSAN: shift-out-of-bounds in dbJoin
Author: tristmd@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>From b3eba06211261ff42d58377c02b45bf48aae8f82 Mon Sep 17 00:00:00 2001
From: Tristan Madani <tristan@talencesecurity.com>
Date: Fri, 17 Apr 2026 16:15:14 +0000
Subject: [PATCH] jfs: fix shift-out-of-bounds in dbJoin
dbJoin() can receive a corrupted newval from on-disk metadata that
exceeds the valid range for the BUDSIZE macro's shift operation.
When newval is larger than budmin + l2nleafs, the shift produces
undefined behavior detected by UBSAN.
Add a sanity check on newval before the shift to reject corrupted
values.
Reported-by: syzbot+fa603ae6b02658401ca7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fa603ae6b02658401ca7
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/jfs/jfs_dmap.c | 3 +++
 1 file changed, 3 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index a841cf2..4ad9b34 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2864,6 +2864,9 @@ static int dbJoin(dmtree_t *tp, int leafno, int newval, bool is_ctl)
 	if (newval >= tp->dmt_budmin) {
 		/* pickup a pointer to the leaves of the tree.
 		 */
+		if (newval > tp->dmt_budmin +
+		    le32_to_cpu(tp->dmt_l2nleafs))
+			return -EIO;
 		leaf = tp->dmt_stree + le32_to_cpu(tp->dmt_leafidx);
 
 		/* try to join the specified leaf into a large binary
-- 
2.47.3

Forwarded: Re: [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbJoin (2)

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbJoin (2)
Author: tristmd@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index XXXXXXX..XXXXXXX 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2770,6 +2770,10 @@ static int dbJoin(dmtree_t *tp, int leafno, int newval, bool is_ctl)
 	int budsz, buddy;
 	s8 *leaf;
 
+	if (newval < 0 ||
+	    (newval >= tp->dmt_budmin && newval - tp->dmt_budmin >= 32))
+		return -EIO;
+
 	/* can the new leaf value require a join with other leaves ?
 	 */
 	if (newval >= tp->dmt_budmin) {