[syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbAllocAG (3)

[syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbAllocAG (3)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    7ea30958b305 Merge tag 'vfs-6.18-rc2.fixes' of git://git.k..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10eee5e2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=af9170887d81dea1
dashboard link: https://syzkaller.appspot.com/bug?extid=4b717071f1eecb2972df
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16a64b04580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12c8bdcd980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3e5414d12be0/disk-7ea30958.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f88a30954acd/vmlinux-7ea30958.xz
kernel image: https://storage.googleapis.com/syzbot-assets/aa2283ab9f73/bzImage-7ea30958.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/ffc7d81ee40c/mount_0.gz
  fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=1585552f980000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4b717071f1eecb2972df@syzkaller.appspotmail.com

------------[ cut here ]------------
UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:1440:48
shift exponent -1 is negative
CPU: 0 UID: 0 PID: 6076 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 ubsan_epilogue+0xa/0x40 lib/ubsan.c:233
 __ubsan_handle_shift_out_of_bounds+0x386/0x410 lib/ubsan.c:494
 dbAllocAG+0xfc0/0xff0 fs/jfs/jfs_dmap.c:1440
 dbAlloc+0x5a8/0xba0 fs/jfs/jfs_dmap.c:877
 extBalloc fs/jfs/jfs_extent.c:336 [inline]
 extAlloc+0x54a/0xfb0 fs/jfs/jfs_extent.c:127
 jfs_get_block+0x346/0xab0 fs/jfs/inode.c:254
 __block_write_begin_int+0x6b5/0x1900 fs/buffer.c:2145
 block_write_begin+0x8a/0x120 fs/buffer.c:2256
 jfs_write_begin+0x35/0x80 fs/jfs/inode.c:306
 generic_perform_write+0x29d/0x8c0 mm/filemap.c:4242
 generic_file_write_iter+0x118/0x550 mm/filemap.c:4385
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0x5d5/0xb40 fs/read_write.c:686
 ksys_write+0x14b/0x260 fs/read_write.c:738
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa99272eec9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffa62c1048 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fa992985fa0 RCX: 00007fa99272eec9
RDX: 0000000000000014 RSI: 0000200000000380 RDI: 0000000000000005
RBP: 00007fa9927b1f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fa992985fa0 R14: 00007fa992985fa0 R15: 0000000000000003
 </TASK>
---[ end trace ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[PATCH] jfs: test syz test

[Pei Xiao]

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index cdfa699cd7c8..9d26c5dc4efd 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -1435,6 +1435,11 @@ dbAllocAG(struct bmap * bmp, int agno, s64 nblocks, int l2nb, s64 * results)
 			blkno &= ~(MAXL1SIZE - 1);
 		else		/* bmp->db_aglevel == 0 */
 			blkno &= ~(MAXL0SIZE - 1);
+		
+		if (unlikely(budmin < 0)) {
+   			WARN_ON_ONCE(1);
+    			budmin = 0;
+		}		
 
 		blkno +=
 		    ((s64) (ti - le32_to_cpu(dcp->leafidx))) << budmin;
-- 
2.25.1

[PATCH] jfs: test syz test

[Pei Xiao]

#syz test
---
 fs/jfs/jfs_dmap.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index cdfa699cd7c8..9d26c5dc4efd 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -1435,6 +1435,11 @@ dbAllocAG(struct bmap * bmp, int agno, s64 nblocks, int l2nb, s64 * results)
 			blkno &= ~(MAXL1SIZE - 1);
 		else		/* bmp->db_aglevel == 0 */
 			blkno &= ~(MAXL0SIZE - 1);
+		
+		if (unlikely(budmin < 0)) {
+   			WARN_ON_ONCE(1);
+    			budmin = 0;
+		}		
 
 		blkno +=
 		    ((s64) (ti - le32_to_cpu(dcp->leafidx))) << budmin;
-- 
2.25.1

Re: [syzbot] [jfs?] UBSAN: shift-out-of-bounds in dbAllocAG (3)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in dbAllocAG

------------[ cut here ]------------
WARNING: CPU: 1 PID: 6656 at fs/jfs/jfs_dmap.c:1440 dbAllocAG+0xd67/0x1080 fs/jfs/jfs_dmap.c:1440
Modules linked in:
CPU: 1 UID: 0 PID: 6656 Comm: syz.0.22 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:dbAllocAG+0xd67/0x1080 fs/jfs/jfs_dmap.c:1440
Code: 89 d8 48 c1 e8 03 42 80 3c 30 00 74 08 48 89 df e8 fe e7 e6 fe 48 8b 3b 48 c7 c6 a0 1a 24 8b e9 d2 f9 ff ff e8 ea 35 85 fe 90 <0f> 0b 90 48 8b 44 24 78 42 0f b6 04 20 84 c0 0f 85 d5 02 00 00 48
RSP: 0018:ffffc90004e4f300 EFLAGS: 00010293
RAX: ffffffff8339c746 RBX: ffff888036d4f000 RCX: ffff88802e0a8000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000002 R12: dffffc0000000000
R13: 0000000000000155 R14: 0000000000000000 R15: 00000000000000ff
FS:  00007efe0bfed6c0(0000) GS:ffff888126cc6000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000565151f06950 CR3: 0000000041956000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 dbAlloc+0x5a8/0xba0 fs/jfs/jfs_dmap.c:877
 extBalloc fs/jfs/jfs_extent.c:336 [inline]
 extAlloc+0x54a/0xfb0 fs/jfs/jfs_extent.c:127
 jfs_get_block+0x346/0xab0 fs/jfs/inode.c:254
 __block_write_begin_int+0x6b5/0x1900 fs/buffer.c:2145
 block_write_begin+0x8a/0x120 fs/buffer.c:2256
 jfs_write_begin+0x35/0x80 fs/jfs/inode.c:306
 generic_perform_write+0x29d/0x8c0 mm/filemap.c:4242
 generic_file_write_iter+0x118/0x550 mm/filemap.c:4385
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0x5d5/0xb40 fs/read_write.c:686
 ksys_write+0x14b/0x260 fs/read_write.c:738
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7efe0c99eec9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007efe0bfed038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007efe0cbf6090 RCX: 00007efe0c99eec9
RDX: 0000000000000014 RSI: 0000200000000380 RDI: 0000000000000005
RBP: 00007efe0ca21f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007efe0cbf6128 R14: 00007efe0cbf6090 R15: 00007ffeba24aff8
 </TASK>


Tested on:

commit:         98ac9cc4 Merge tag 'f2fs-fix-6.18-rc2' of git://git.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1606cb04580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=af9170887d81dea1
dashboard link: https://syzkaller.appspot.com/bug?extid=4b717071f1eecb2972df
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17cfbdcd980000

Forwarded: UBSAN: shift-out-of-bounds in dbAllocAG (3)

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: UBSAN: shift-out-of-bounds in dbAllocAG (3)
Author: hsukrut3@gmail.com

#syz test
---
 fs/jfs/jfs_dmap.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index cdfa699cd7c8..477b332763a8 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -1372,6 +1372,12 @@ dbAllocAG(struct bmap * bmp, int agno, s64 nblocks, int l2nb, s64 * results)
 	dcp = (struct dmapctl *) mp->data;
 	budmin = dcp->budmin;
 
+	if (unlikely(budmin < 0) {
+		jfs_err("JFS: dmapctl corruption: budmin=%d", budmin);
+		release_metapage(mp);
+		return -EIO;
+	}
+
 	if (dcp->leafidx != cpu_to_le32(CTLLEAFIND)) {
 		jfs_error(bmp->db_ipbmap->i_sb, "Corrupt dmapctl page\n");
 		release_metapage(mp);
-- 
2.43.0

Forwarded: UBSAN: shift-out-of-bounds in dbAllocAG (3)

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: UBSAN: shift-out-of-bounds in dbAllocAG (3)
Author: hsukrut3@gmail.com

#syz test
---
 fs/jfs/jfs_dmap.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index cdfa699cd7c8..76f4b9322034 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -1372,6 +1372,12 @@ dbAllocAG(struct bmap * bmp, int agno, s64 nblocks, int l2nb, s64 * results)
 	dcp = (struct dmapctl *) mp->data;
 	budmin = dcp->budmin;
 
+	if (unlikely(budmin < 0)) {
+		jfs_err("JFS: dmapctl corruption: budmin=%d", budmin);
+		release_metapage(mp);
+		return -EIO;
+	}
+
 	if (dcp->leafidx != cpu_to_le32(CTLLEAFIND)) {
 		jfs_error(bmp->db_ipbmap->i_sb, "Corrupt dmapctl page\n");
 		release_metapage(mp);
-- 
2.43.0

Forwarded: [PATCH] jfs: validate budmin from dmapctl to prevent shift-out-of-bounds

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] jfs: validate budmin from dmapctl to prevent shift-out-of-bounds
Author: tristmd@gmail.com

From: Tristan Madani <tristan@talencesecurity.com>

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


dbAllocAG() reads budmin directly from an on-disk dmapctl page and uses
it as a shift amount:

    blkno += ((s64)(ti - le32_to_cpu(dcp->leafidx))) << budmin;

When the filesystem image is corrupted, budmin (an s8) can be negative,
causing a UBSAN shift-out-of-bounds splat with "shift exponent -1 is
negative".

The existing mount-time validation in dbMount() (commit 7c4af96b24a6)
covers db_agheight/db_agwidth/db_agstart but not budmin in individual
dmapctl pages, since those are read at allocation time, not at mount.

Fix this by validating budmin immediately after reading it from the
dmapctl page.  A valid budmin for a dmapctl page must be in the range
[L2BPERDMAP, L2MAXL2SIZE] (i.e. [13, 43]).  Reject pages outside this
range as corrupt.

The same pattern exists in dbFindCtl() which also reads budmin from
dmapctl pages and uses it as a shift; add the validation there too.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+4b717071f1eecb2972df@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4b717071f1eecb2972df
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/jfs/jfs_dmap.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 35e063c9f3a4..a1b2c3d4e5f6 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -1373,6 +1373,13 @@ dbAllocAG(struct bmap * bmp, int agno, s64 nblocks, int l2nb, s64 * results)
 	dcp = (struct dmapctl *) mp->data;
 	budmin = dcp->budmin;

+	if (budmin < L2BPERDMAP || budmin > L2MAXL2SIZE) {
+		jfs_error(bmp->db_ipbmap->i_sb,
+			  "Corrupt dmapctl budmin %d\n", budmin);
+		release_metapage(mp);
+		return -EIO;
+	}
+
 	if (dcp->leafidx != cpu_to_le32(CTLLEAFIND)) {
 		jfs_error(bmp->db_ipbmap->i_sb, "Corrupt dmapctl page\n");
 		release_metapage(mp);
@@ -1703,6 +1710,13 @@ static int dbFindCtl(struct bmap * bmp, int l2nb, int level, s64 * blkno)
 		dcp = (struct dmapctl *) mp->data;
 		budmin = dcp->budmin;

+		if (budmin < L2BPERDMAP || budmin > L2MAXL2SIZE) {
+			jfs_error(bmp->db_ipbmap->i_sb,
+				  "Corrupt dmapctl budmin %d\n", budmin);
+			release_metapage(mp);
+			return -EIO;
+		}
+
 		if (dcp->leafidx != cpu_to_le32(CTLLEAFIND)) {
 			jfs_error(bmp->db_ipbmap->i_sb,
 				  "Corrupt dmapctl page\n");
--
2.39.2

Forwarded: Re: [syzbot] UBSAN: shift-out-of-bounds in dbAllocAG

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] UBSAN: shift-out-of-bounds in dbAllocAG
Author: tristmd@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>From 68c84cc03503804c418f99cf442b48de6959405b Mon Sep 17 00:00:00 2001
From: Tristan Madani <tristan@talencesecurity.com>
Date: Fri, 17 Apr 2026 16:15:15 +0000
Subject: [PATCH] jfs: add upper bound check for budmin in check_dmapctl()
check_dmapctl() validates that budmin >= BUDMIN but does not check
the upper bound. A corrupted filesystem image can set budmin to a
value larger than L2MAXL2SIZE, causing UBSAN shift-out-of-bounds
when the value is used as a shift count in dbAllocAG() and
dbFindCtl().
Add an upper bound check on budmin in check_dmapctl() to reject
values exceeding L2MAXL2SIZE.
Reported-by: syzbot+4b717071f1eecb2972df@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4b717071f1eecb2972df
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/jfs/jfs_dmap.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index a841cf2..eb7c3ba 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -190,9 +190,9 @@ static bool check_dmapctl(struct dmapctl *dcp)
 				nleafs);
 			return false;
 		}
-	} else if (unlikely(budmin < BUDMIN)) {
-		jfs_err("dmapctl: invalid budmin %d (min %d)",
-			budmin, BUDMIN);
+	} else if (unlikely(budmin < BUDMIN || budmin > L2MAXL2SIZE)) {
+		jfs_err("dmapctl: invalid budmin %d (valid range %d-%d)",
+			budmin, BUDMIN, L2MAXL2SIZE);
 		return false;
 	}
 
-- 
2.47.3