From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Rand Deeb <rand.sec96@gmail.com>,
Dave Kleikamp <dave.kleikamp@oracle.com>,
Sasha Levin <sashal@kernel.org>,
shaggy@kernel.org, eadavis@qq.com, rbrasga@uci.edu,
ghanshyam1898@gmail.com, aha310510@gmail.com,
niharchaithanya@gmail.com, jfs-discussion@lists.sourceforge.net
Subject: [PATCH AUTOSEL 5.10 02/15] fs/jfs: cast inactags to s64 to prevent potential overflow
Date: Thu, 3 Apr 2025 15:09:49 -0400 [thread overview]
Message-ID: <20250403191002.2678588-2-sashal@kernel.org> (raw)
In-Reply-To: <20250403191002.2678588-1-sashal@kernel.org>
From: Rand Deeb <rand.sec96@gmail.com>
[ Upstream commit 70ca3246ad201b53a9f09380b3f29d8bac320383 ]
The expression "inactags << bmp->db_agl2size" in the function
dbFinalizeBmap() is computed using int operands. Although the
values (inactags and db_agl2size) are derived from filesystem
parameters and are usually small, there is a theoretical risk that
the shift could overflow a 32-bit int if extreme values occur.
According to the C standard, shifting a signed 32-bit int can lead
to undefined behavior if the result exceeds its range. In our
case, an overflow could miscalculate free blocks, potentially
leading to erroneous filesystem accounting.
To ensure the arithmetic is performed in 64-bit space, we cast
"inactags" to s64 before shifting. This defensive fix prevents any
risk of overflow and complies with kernel coding best practices.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Rand Deeb <rand.sec96@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index ef220709c7f51..389dafd23d15e 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -3728,8 +3728,8 @@ void dbFinalizeBmap(struct inode *ipbmap)
* system size is not a multiple of the group size).
*/
inactfree = (inactags && ag_rem) ?
- ((inactags - 1) << bmp->db_agl2size) + ag_rem
- : inactags << bmp->db_agl2size;
+ (((s64)inactags - 1) << bmp->db_agl2size) + ag_rem
+ : ((s64)inactags << bmp->db_agl2size);
/* determine how many free blocks are in the active
* allocation groups plus the average number of free blocks
--
2.39.5
next prev parent reply other threads:[~2025-04-03 19:10 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-03 19:09 [PATCH AUTOSEL 5.10 01/15] page_pool: avoid infinite loop to schedule delayed worker Sasha Levin
2025-04-03 19:09 ` Sasha Levin [this message]
2025-04-03 19:09 ` [PATCH AUTOSEL 5.10 03/15] fs/jfs: Prevent integer overflow in AG size calculation Sasha Levin
2025-04-03 19:09 ` [PATCH AUTOSEL 5.10 04/15] jfs: Prevent copying of nlink with value 0 from disk inode Sasha Levin
2025-04-03 19:09 ` [PATCH AUTOSEL 5.10 05/15] jfs: add sanity check for agwidth in dbMount Sasha Levin
2025-04-03 19:09 ` [PATCH AUTOSEL 5.10 06/15] ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode Sasha Levin
2025-04-03 19:09 ` [PATCH AUTOSEL 5.10 07/15] f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() Sasha Levin
2025-04-03 19:09 ` [PATCH AUTOSEL 5.10 08/15] ahci: add PCI ID for Marvell 88SE9215 SATA Controller Sasha Levin
2025-04-03 19:09 ` [PATCH AUTOSEL 5.10 09/15] ext4: protect ext4_release_dquot against freezing Sasha Levin
2025-04-03 19:09 ` [PATCH AUTOSEL 5.10 10/15] ext4: ignore xattrs past end Sasha Levin
2025-04-03 19:09 ` [PATCH AUTOSEL 5.10 11/15] scsi: st: Fix array overflow in st_setup() Sasha Levin
2025-04-03 19:09 ` [PATCH AUTOSEL 5.10 12/15] wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table Sasha Levin
2025-04-03 19:10 ` [PATCH AUTOSEL 5.10 13/15] net: vlan: don't propagate flags on open Sasha Levin
2025-04-18 17:01 ` Pavel Machek
2025-04-03 19:10 ` [PATCH AUTOSEL 5.10 14/15] tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER Sasha Levin
2025-04-03 19:10 ` [PATCH AUTOSEL 5.10 15/15] Bluetooth: hci_uart: fix race during initialization Sasha Levin
2025-04-18 17:03 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250403191002.2678588-2-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=aha310510@gmail.com \
--cc=dave.kleikamp@oracle.com \
--cc=eadavis@qq.com \
--cc=ghanshyam1898@gmail.com \
--cc=jfs-discussion@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=niharchaithanya@gmail.com \
--cc=rand.sec96@gmail.com \
--cc=rbrasga@uci.edu \
--cc=shaggy@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox