From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 20F241170D for ; Mon, 11 Sep 2023 14:11:56 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 961B9C433C8; Mon, 11 Sep 2023 14:11:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1694441516; bh=ZGHi1LU8B7w4sTr/gQB3Mb7+6gGcui8lSAG0jb8wYUQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EBgx/k1+NPklgQIFNotDgN7Dc5abQlB9T1bSDR4uvOe+BN2HUl5f1s1OBkcYJaZyR wAJbrBB+CE6+a+jtbsP42LNTSbPYcjdYk5Z8atiVCM1uV29l/1L8yBflOaTU8+urmK oiI6sMhEZWc/5NMwhggF57V9EUxEp7plD8+XKGNA= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Aleksei Filippov , Dave Kleikamp , Sasha Levin , syzbot+5f088f29593e6b4c8db8@syzkaller.appspotmail.com Subject: [PATCH 6.5 441/739] jfs: validate max amount of blocks before allocation. Date: Mon, 11 Sep 2023 15:44:00 +0200 Message-ID: <20230911134703.486112890@linuxfoundation.org> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20230911134650.921299741@linuxfoundation.org> References: <20230911134650.921299741@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.5-stable review patch. If anyone has any objections, please let me know. ------------------ From: Alexei Filippov [ Upstream commit 0225e10972fa809728b8d4c1bd2772b3ec3fdb57 ] The lack of checking bmp->db_max_freebud in extBalloc() can lead to shift out of bounds, so this patch prevents undefined behavior, because bmp->db_max_freebud == -1 only if there is no free space. Signed-off-by: Aleksei Filippov Signed-off-by: Dave Kleikamp Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-and-tested-by: syzbot+5f088f29593e6b4c8db8@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?id=01abadbd6ae6a08b1f1987aa61554c6b3ac19ff2 Signed-off-by: Sasha Levin --- fs/jfs/jfs_extent.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fs/jfs/jfs_extent.c b/fs/jfs/jfs_extent.c index ae99a7e232eeb..a82751e6c47f9 100644 --- a/fs/jfs/jfs_extent.c +++ b/fs/jfs/jfs_extent.c @@ -311,6 +311,11 @@ extBalloc(struct inode *ip, s64 hint, s64 * nblocks, s64 * blkno) * blocks in the map. in that case, we'll start off with the * maximum free. */ + + /* give up if no space left */ + if (bmp->db_maxfreebud == -1) + return -ENOSPC; + max = (s64) 1 << bmp->db_maxfreebud; if (*nblocks >= max && *nblocks > nbperpage) nb = nblks = (max > nbperpage) ? max : nbperpage; -- 2.40.1