[PATCH 5.15.y] ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume

[PATCH 5.15.y] ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume

[1016331059]

[-- Attachment #1.1: Type: text/plain, Size: 1479 bytes --]

This patch is a backport to stable 5.15.y of upstream commit
7f86b2942791012ac7b4c481d1f84a58fd2fbcfc
("ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()").

This patch addresses a shift-out-of-bounds error in the
ocfs2_verify_volume() function. The bug can be triggered by an invalid
s_clustersize_bits value, which causes the expression

  1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits)

to exceed the valid shift range of a 32-bit integer, leading to an
out-of-bounds shift reported by UBSAN.

Instead of performing the invalid shift while printing the error message,
log the raw s_clustersize_bits value directly.

This backport was also tested by syzbot on Linux 5.15.201
(commit 3330a8d33e086f76608bb4e80a3dc569d04a8814 in the stable 5.15.y
tree), and the reproducer did not trigger any issue.

[ Upstream commit 7f86b2942791012ac7b4c481d1f84a58fd2fbcfc ]

Link: https://lkml.kernel.org/r/ZsPvwQAXd5R/jNY+@hostname
Reported-by: syzbot <syzbot+f3fff775402751ebb471@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=f3fff775402751ebb471
Tested-by: syzbot <syzbot+f3fff775402751ebb471@syzkaller.appspotmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Link: https://syzkaller.appspot.com/bug?extid=c6104ecfe56e0fd6b616
Tested-by: syzbot <syzbot+c6104ecfe56e0fd6b616@syzkaller.appspotmail.com>
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
Signed-off-by: Changjian Liu <driz2t@qq.com>

[-- Attachment #1.2: Type: text/html, Size: 7139 bytes --]

[-- Attachment #2: c6104ecfe56e0fd6b616.patch --]
[-- Type: application/octet-stream, Size: 2568 bytes --]

From ae310006fc6e06c233b8d6780b2a2c6a16d6d708 Mon Sep 17 00:00:00 2001
From: Changjian Liu <driz2t@qq.com>
Date: Mon, 23 Mar 2026 11:39:19 +0800
Subject: [PATCH 5.15.y] ocfs2: fix shift-out-of-bounds UBSAN bug in
 ocfs2_verify_volume()

This patch is a backport to stable 5.15.y of upstream commit
7f86b2942791012ac7b4c481d1f84a58fd2fbcfc
("ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()").

This patch addresses a shift-out-of-bounds error in the
ocfs2_verify_volume() function. The bug can be triggered by an invalid
s_clustersize_bits value, which causes the expression

  1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits)

to exceed the valid shift range of a 32-bit integer, leading to an
out-of-bounds shift reported by UBSAN.

Instead of performing the invalid shift while printing the error message,
log the raw s_clustersize_bits value directly.

This backport was also tested by syzbot on Linux 5.15.201
(commit 3330a8d33e086f76608bb4e80a3dc569d04a8814 in the stable 5.15.y
tree), and the reproducer did not trigger any issue.

[ Upstream commit 7f86b2942791012ac7b4c481d1f84a58fd2fbcfc ]

Link: https://lkml.kernel.org/r/ZsPvwQAXd5R/jNY+@hostname
Reported-by: syzbot <syzbot+f3fff775402751ebb471@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=f3fff775402751ebb471
Tested-by: syzbot <syzbot+f3fff775402751ebb471@syzkaller.appspotmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Link: https://syzkaller.appspot.com/bug?extid=c6104ecfe56e0fd6b616
Tested-by: syzbot <syzbot+c6104ecfe56e0fd6b616@syzkaller.appspotmail.com>
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
Signed-off-by: Changjian Liu <driz2t@qq.com>
---
 fs/ocfs2/super.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
index bb174009206e..ae2ba616756d 100644
--- a/fs/ocfs2/super.c
+++ b/fs/ocfs2/super.c
@@ -2369,8 +2369,8 @@ static int ocfs2_verify_volume(struct ocfs2_dinode *di,
 			     (unsigned long long)bh->b_blocknr);
 		} else if (le32_to_cpu(di->id2.i_super.s_clustersize_bits) < 12 ||
 			    le32_to_cpu(di->id2.i_super.s_clustersize_bits) > 20) {
-			mlog(ML_ERROR, "bad cluster size found: %u\n",
-			     1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits));
+			mlog(ML_ERROR, "bad cluster size bit found: %u\n",
+			     le32_to_cpu(di->id2.i_super.s_clustersize_bits));
 		} else if (!le64_to_cpu(di->id2.i_super.s_root_blkno)) {
 			mlog(ML_ERROR, "bad root_blkno: 0\n");
 		} else if (!le64_to_cpu(di->id2.i_super.s_system_dir_blkno)) {
-- 
2.43.0

Re: [PATCH 5.15.y] ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume

[Greg KH]

On Tue, Mar 24, 2026 at 07:04:58AM +0000, 1016331059@qq.com wrote:
> This patch is a backport to stable 5.15.y of upstream commit
> 7f86b2942791012ac7b4c481d1f84a58fd2fbcfc
> ("ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()").

This was attached, and could not be applied directly.  Please submit the
patch inline.

thanks,

greg k-h

[PATCH 5.15.y] ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume

[1016331059]

This patch is a backport to stable 5.15.y of upstream commit
7f86b2942791012ac7b4c481d1f84a58fd2fbcfc
("ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()").

This patch addresses a shift-out-of-bounds error in the
ocfs2_verify_volume() function. The bug can be triggered by an invalid
s_clustersize_bits value, which causes the expression

  1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits)

to exceed the valid shift range of a 32-bit integer, leading to an
out-of-bounds shift reported by UBSAN.

Instead of performing the invalid shift while printing the error message,
log the raw s_clustersize_bits value directly.

This backport was also tested by syzbot on Linux 5.15.201
(commit 3330a8d33e086f76608bb4e80a3dc569d04a8814 in the stable 5.15.y
tree), and the reproducer did not trigger any issue.

[ Upstream commit 7f86b2942791012ac7b4c481d1f84a58fd2fbcfc ]

Link: https://lkml.kernel.org/r/ZsPvwQAXd5R/jNY+@hostname
Reported-by: syzbot <syzbot+f3fff775402751ebb471@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=f3fff775402751ebb471
Tested-by: syzbot <syzbot+f3fff775402751ebb471@syzkaller.appspotmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Link: https://syzkaller.appspot.com/bug?extid=c6104ecfe56e0fd6b616
Tested-by: syzbot <syzbot+c6104ecfe56e0fd6b616@syzkaller.appspotmail.com>
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
Signed-off-by: Changjian Liu <driz2t@qq.com>
---
 fs/ocfs2/super.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
index bb174009206e..ae2ba616756d 100644
--- a/fs/ocfs2/super.c
+++ b/fs/ocfs2/super.c
@@ -2369,8 +2369,8 @@ static int ocfs2_verify_volume(struct ocfs2_dinode *di,
 			     (unsigned long long)bh->b_blocknr);
 		} else if (le32_to_cpu(di->id2.i_super.s_clustersize_bits) < 12 ||
 			    le32_to_cpu(di->id2.i_super.s_clustersize_bits) > 20) {
-			mlog(ML_ERROR, "bad cluster size found: %u\n",
-			     1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits));
+			mlog(ML_ERROR, "bad cluster size bit found: %u\n",
+			     le32_to_cpu(di->id2.i_super.s_clustersize_bits));
 		} else if (!le64_to_cpu(di->id2.i_super.s_root_blkno)) {
 			mlog(ML_ERROR, "bad root_blkno: 0\n");
 		} else if (!le64_to_cpu(di->id2.i_super.s_system_dir_blkno)) {
-- 
2.43.0