From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f195.google.com (mail-pl1-f195.google.com [209.85.214.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 330FB2E093A for ; Mon, 20 Apr 2026 16:02:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.195 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776700963; cv=none; b=m0HT7iWfIiduyp0CaaWbMbzkWz8Kwrvpqm78W40QajZ1RbmUFXx4tyqZARTsyz/G+I+MpmKit8m3I00wXg7lvXKLU8JHirjM8lUyk09C2TNCWODxIpni2VhPAlrw+yKHqizEJwNcSPDGlbyS+ZNzCVPWro8EAbfEi9as6z8Ac78= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776700963; c=relaxed/simple; bh=aIQo3xrKwhIie3BVLIvnoI4oTYzalUquZj0pVFF1WdY=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=dpX9seK9/tRXXwPjYlnVc5Nnmf1Xp82pGX/O50LW2X/HtuMLA9wdqqxyOfvpLjc+hgxHknJFr4WCSDZPb+EceHn1/LjOFY6S4VuM/A2yGwc5cBG22r4vy1/VUqCmdWqDwScuo78VkV2KNASu58/mkRVK6oTINk/1NJchTY5rPAc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=oI2WEawG; arc=none smtp.client-ip=209.85.214.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="oI2WEawG" Received: by mail-pl1-f195.google.com with SMTP id d9443c01a7336-2b4583f0a1aso19575905ad.3 for ; Mon, 20 Apr 2026 09:02:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776700961; x=1777305761; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=WuxujkQVXXQIOTfMvOZVE/cG3NfLirxv5V2P10jPPp8=; b=oI2WEawGseRtvtIulOhujF/C+YERk/GCcaZ6fUx1wQNhcDVjH5fklFsoxYNEr0+OKL 8CZSCG2SP2EnprRjOY9xEdCjGpHdvecIi0Ks2MkNR1KRSxjKsmmaGwpOjIESgTfdZsA2 5mY7Rb34ZM5/9oenT9Rw6kSWN8RoggWIUoqljyPYob/gnkndabqRY7L8s+eop76miN+0 7kYMbA5a6GttpkHtZbdi2gSpLPIokvY2MKIJSLL0TRJcH+M4bW5Pi26n46noMJcVGePw NxPkKlNnLmCaT47xYf9gAp9d424MdxAI2SwvZJ0osBGV3HdBj0Wc24s/JFMod1XLl5JM /mXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776700961; x=1777305761; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=WuxujkQVXXQIOTfMvOZVE/cG3NfLirxv5V2P10jPPp8=; b=KBBmPu4v7vGpx4NCPW1nexPJzxU4sG2DueOYCmPJFMQr3zUn92TNoRZ/ofVm1Anosf Q2+BsOFtOsMAlQOPP469ngLqpP8kj0lR0joyZtx3OEiqincxl+ZeW4cDaocHt2FJDt8Q nZRDNeG9Kh/gx+ULglk/bwI42gGBoH3DbaOakPFxi54SXQzYJicAWzpEfD6XeHXP+4qW sD8agtaNObLtrzTDUhrKu36RVE50FnFKgMHhZpvtjxooR18j5PQGhj0YQgHxnaCPpDYZ 9VJZNyAapQHvElUzxZiKQqh0mrY1rz94yV5kPssnQ/RXNQIpyO8lvFQJ+QQ/RoBazB3X V7DQ== X-Forwarded-Encrypted: i=1; AFNElJ/D5fTsox+vzQbvCAAko9Zasfa75BTf91/JpeSIiZdd0LCP2eorLu96S/WXcxtz6Dx5Dh7lOhpTuaatrSE=@vger.kernel.org X-Gm-Message-State: AOJu0YwzIVz/io5bvf3OXkEKDxULGyaQMIWRv18jkPZai5uo0iEaxqSV h6mZBPguTeDnp/CnlqRvursN3KUV/cz+ofhEXGnxBgJ2p/LVExXocmhu X-Gm-Gg: AeBDiesrCD/1x+mrQHR3iMPkbIB1cgIt6RKFgG9gPeaG43S3l0JDSGHax2hDuWAG268 Pky1kzc8dKK6OMLn9DxJPeM5S6ldJUCfNU3sS+adVb3J90qS4QReOxnXoYr7M+h8B6VgeLoBLjc jKP0B4rwbxQP+ZXKhtOE4JIbgrfHtfXLwgohf82Cn3b9Kft5JJdQc5CPqB3c0S6XW/6HdmR5I0t aZ1kvrgNx7TTDfFx5zX6iYoYJVNBOaKVTTix/AF4W51l1PJ0mlnB/qHdHCbOH12b4dVC95YQ3zK GibnzYYobF9odsP9sMbjoASZjN9qb6pjB7V2WkHiPIhvoyJqdRQLwMuJxX1iUahQmVWWpCvVTFX rOLW3b4z3VTfX4+6MWVJvj6Zmy4TaGeQb5KdZ0HQP10yBlI0AuB26nhpnI7YKRWY13/XgOvp3SW 6xwibuOG7SPvli6d519J5oujWsJyl2kPAwGE4xJCvpzCsQ51PU7zVmTZg= X-Received: by 2002:a17:902:988a:b0:2b4:689a:e420 with SMTP id d9443c01a7336-2b5f9e7a9c1mr96557845ad.8.1776700961297; Mon, 20 Apr 2026 09:02:41 -0700 (PDT) Received: from LAPTOP-1HUHJV8R.localdomain ([2408:8642:893:d2da:1490:90cf:102:c454]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b5fab0cf3bsm126607965ad.44.2026.04.20.09.02.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Apr 2026 09:02:40 -0700 (PDT) From: l1za0.sec@gmail.com To: Dave Kleikamp Cc: jfs-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org Subject: [PATCH] jfs: fix kernel paging request bug in dbAllocBits Date: Tue, 21 Apr 2026 00:02:19 +0800 Message-ID: <20260420160231.80483-1-l1za0.sec@gmail.com> X-Mailer: git-send-email 2.51.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Haocheng Yu A BUG: unable to handle kernel paging request in dbAllocBits issue is reported by a modified Syzkaller-based kernel fuzzing tool that we developed. The issue arises because dbAllocBits() uses bmp->db_agfree[agno], and agno is used without verification after being calculated using `blkno >> bmp->db_agl2size;`. And blkno is calculated using `blkno = le64_to_cpu(dp->start) + (word << L2DBWORD);`. If a corrupted image is read at runtime, an unreasonable db->start might be read, causing agno to be excessively large. To fix this vulnerability, I added the db_valid_agno() helper function to verify the validity of blkno and agno. This verification is added before all similar places that use bmp->db_agfree[agno], including dbAllocBits(), dbFreeBits(), and dbAllocDmapBU(). Signed-off-by: Haocheng Yu --- fs/jfs/jfs_dmap.c | 36 +++++++++++++++++++++++++++++++++--- 1 file changed, 33 insertions(+), 3 deletions(-) diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index 88afd108c2dd..5f144dd92336 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -106,6 +106,21 @@ static int dbInitTree(struct dmaptree * dtp); static int dbInitDmapCtl(struct dmapctl * dcp, int level, int i); static int dbGetL2AGSize(s64 nblocks); +static bool db_valid_agno(struct bmap *bmp, s64 blkno, int *agno) +{ + int idx; + + if (unlikely(blkno < 0 || blkno >= bmp->db_mapsize)) + return false; + + idx = blkno >> bmp->db_agl2size; + if (unlikely(idx < 0 || idx >= bmp->db_numag || idx >= MAXAG)) + return false; + + *agno = idx; + return true; +} + /* * buddy table * @@ -2235,12 +2250,17 @@ static void dbAllocBits(struct bmap * bmp, struct dmap * dp, s64 blkno, le32_add_cpu(&dp->nfree, -nblocks); BMAP_LOCK(bmp); + if (unlikely(!db_valid_agno(bmp, blkno, &agno))) { + BMAP_UNLOCK(bmp); + jfs_error(bmp->db_ipbmap->i_sb, + "invalid agno in %s\n", __func__); + return; + } /* if this allocation group is completely free, * update the maximum allocation group number if this allocation * group is the new max. */ - agno = blkno >> bmp->db_agl2size; if (agno > bmp->db_maxag) bmp->db_maxag = agno; @@ -2383,7 +2403,12 @@ static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno, /* update the free count for the allocation group and * map. */ - agno = blkno >> bmp->db_agl2size; + if (unlikely(!db_valid_agno(bmp, blkno, &agno))) { + BMAP_UNLOCK(bmp); + jfs_error(bmp->db_ipbmap->i_sb, + "invalid agno in %s\n", __func__); + return -EIO; + } bmp->db_nfree += nblocks; bmp->db_agfree[agno] += nblocks; @@ -3296,7 +3321,12 @@ static int dbAllocDmapBU(struct bmap * bmp, struct dmap * dp, s64 blkno, * update the highest active allocation group number * if this allocation group is the new max. */ - agno = blkno >> bmp->db_agl2size; + if (unlikely(!db_valid_agno(bmp, blkno, &agno))) { + BMAP_UNLOCK(bmp); + jfs_error(bmp->db_ipbmap->i_sb, + "invalid agno in %s\n", __func__); + return -EIO; + } if (agno > bmp->db_maxag) bmp->db_maxag = agno; base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa -- 2.51.0