From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Edward Adam Davis <eadavis@qq.com>,
syzbot+7c808908291a569281a9@syzkaller.appspotmail.com,
Dave Kleikamp <dave.kleikamp@oracle.com>,
Sasha Levin <sashal@kernel.org>,
shaggy@kernel.org, rand.sec96@gmail.com, peili.dev@gmail.com,
ghanshyam1898@gmail.com, niharchaithanya@gmail.com,
aha310510@gmail.com, jfs-discussion@lists.sourceforge.net
Subject: [PATCH AUTOSEL 5.10 05/15] jfs: add sanity check for agwidth in dbMount
Date: Thu, 3 Apr 2025 15:09:52 -0400 [thread overview]
Message-ID: <20250403191002.2678588-5-sashal@kernel.org> (raw)
In-Reply-To: <20250403191002.2678588-1-sashal@kernel.org>
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit ddf2846f22e8575d6b4b6a66f2100f168b8cd73d ]
The width in dmapctl of the AG is zero, it trigger a divide error when
calculating the control page level in dbAllocAG.
To avoid this issue, add a check for agwidth in dbAllocAG.
Reported-and-tested-by: syzbot+7c808908291a569281a9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7c808908291a569281a9
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 3cc10f9bf9f8b..8f4c55c711ba0 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -204,6 +204,10 @@ int dbMount(struct inode *ipbmap)
bmp->db_aglevel = le32_to_cpu(dbmp_le->dn_aglevel);
bmp->db_agheight = le32_to_cpu(dbmp_le->dn_agheight);
bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth);
+ if (!bmp->db_agwidth) {
+ err = -EINVAL;
+ goto err_release_metapage;
+ }
bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart);
bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size);
if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG ||
--
2.39.5
next prev parent reply other threads:[~2025-04-03 19:10 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-03 19:09 [PATCH AUTOSEL 5.10 01/15] page_pool: avoid infinite loop to schedule delayed worker Sasha Levin
2025-04-03 19:09 ` [PATCH AUTOSEL 5.10 02/15] fs/jfs: cast inactags to s64 to prevent potential overflow Sasha Levin
2025-04-03 19:09 ` [PATCH AUTOSEL 5.10 03/15] fs/jfs: Prevent integer overflow in AG size calculation Sasha Levin
2025-04-03 19:09 ` [PATCH AUTOSEL 5.10 04/15] jfs: Prevent copying of nlink with value 0 from disk inode Sasha Levin
2025-04-03 19:09 ` Sasha Levin [this message]
2025-04-03 19:09 ` [PATCH AUTOSEL 5.10 06/15] ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode Sasha Levin
2025-04-03 19:09 ` [PATCH AUTOSEL 5.10 07/15] f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() Sasha Levin
2025-04-03 19:09 ` [PATCH AUTOSEL 5.10 08/15] ahci: add PCI ID for Marvell 88SE9215 SATA Controller Sasha Levin
2025-04-03 19:09 ` [PATCH AUTOSEL 5.10 09/15] ext4: protect ext4_release_dquot against freezing Sasha Levin
2025-04-03 19:09 ` [PATCH AUTOSEL 5.10 10/15] ext4: ignore xattrs past end Sasha Levin
2025-04-03 19:09 ` [PATCH AUTOSEL 5.10 11/15] scsi: st: Fix array overflow in st_setup() Sasha Levin
2025-04-03 19:09 ` [PATCH AUTOSEL 5.10 12/15] wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table Sasha Levin
2025-04-03 19:10 ` [PATCH AUTOSEL 5.10 13/15] net: vlan: don't propagate flags on open Sasha Levin
2025-04-18 17:01 ` Pavel Machek
2025-04-03 19:10 ` [PATCH AUTOSEL 5.10 14/15] tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER Sasha Levin
2025-04-03 19:10 ` [PATCH AUTOSEL 5.10 15/15] Bluetooth: hci_uart: fix race during initialization Sasha Levin
2025-04-18 17:03 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250403191002.2678588-5-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=aha310510@gmail.com \
--cc=dave.kleikamp@oracle.com \
--cc=eadavis@qq.com \
--cc=ghanshyam1898@gmail.com \
--cc=jfs-discussion@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=niharchaithanya@gmail.com \
--cc=peili.dev@gmail.com \
--cc=rand.sec96@gmail.com \
--cc=shaggy@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+7c808908291a569281a9@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox