[PATCH 5.15.y] ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume

[PATCH 5.15.y] ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume

[1016331059]

[-- Attachment #1.1: Type: text/plain, Size: 1479 bytes --]

This patch is a backport to stable 5.15.y of upstream commit
7f86b2942791012ac7b4c481d1f84a58fd2fbcfc
("ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()").

This patch addresses a shift-out-of-bounds error in the
ocfs2_verify_volume() function. The bug can be triggered by an invalid
s_clustersize_bits value, which causes the expression

  1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits)

to exceed the valid shift range of a 32-bit integer, leading to an
out-of-bounds shift reported by UBSAN.

Instead of performing the invalid shift while printing the error message,
log the raw s_clustersize_bits value directly.

This backport was also tested by syzbot on Linux 5.15.201
(commit 3330a8d33e086f76608bb4e80a3dc569d04a8814 in the stable 5.15.y
tree), and the reproducer did not trigger any issue.

[ Upstream commit 7f86b2942791012ac7b4c481d1f84a58fd2fbcfc ]

Link: https://lkml.kernel.org/r/ZsPvwQAXd5R/jNY+@hostname
Reported-by: syzbot <syzbot+f3fff775402751ebb471@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=f3fff775402751ebb471
Tested-by: syzbot <syzbot+f3fff775402751ebb471@syzkaller.appspotmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Link: https://syzkaller.appspot.com/bug?extid=c6104ecfe56e0fd6b616
Tested-by: syzbot <syzbot+c6104ecfe56e0fd6b616@syzkaller.appspotmail.com>
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
Signed-off-by: Changjian Liu <driz2t@qq.com>

[-- Attachment #1.2: Type: text/html, Size: 7139 bytes --]

[-- Attachment #2: c6104ecfe56e0fd6b616.patch --]
[-- Type: application/octet-stream, Size: 2568 bytes --]

From ae310006fc6e06c233b8d6780b2a2c6a16d6d708 Mon Sep 17 00:00:00 2001
From: Changjian Liu <driz2t@qq.com>
Date: Mon, 23 Mar 2026 11:39:19 +0800
Subject: [PATCH 5.15.y] ocfs2: fix shift-out-of-bounds UBSAN bug in
 ocfs2_verify_volume()

This patch is a backport to stable 5.15.y of upstream commit
7f86b2942791012ac7b4c481d1f84a58fd2fbcfc
("ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()").

This patch addresses a shift-out-of-bounds error in the
ocfs2_verify_volume() function. The bug can be triggered by an invalid
s_clustersize_bits value, which causes the expression

  1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits)

to exceed the valid shift range of a 32-bit integer, leading to an
out-of-bounds shift reported by UBSAN.

Instead of performing the invalid shift while printing the error message,
log the raw s_clustersize_bits value directly.

This backport was also tested by syzbot on Linux 5.15.201
(commit 3330a8d33e086f76608bb4e80a3dc569d04a8814 in the stable 5.15.y
tree), and the reproducer did not trigger any issue.

[ Upstream commit 7f86b2942791012ac7b4c481d1f84a58fd2fbcfc ]

Link: https://lkml.kernel.org/r/ZsPvwQAXd5R/jNY+@hostname
Reported-by: syzbot <syzbot+f3fff775402751ebb471@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=f3fff775402751ebb471
Tested-by: syzbot <syzbot+f3fff775402751ebb471@syzkaller.appspotmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Link: https://syzkaller.appspot.com/bug?extid=c6104ecfe56e0fd6b616
Tested-by: syzbot <syzbot+c6104ecfe56e0fd6b616@syzkaller.appspotmail.com>
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
Signed-off-by: Changjian Liu <driz2t@qq.com>
---
 fs/ocfs2/super.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
index bb174009206e..ae2ba616756d 100644
--- a/fs/ocfs2/super.c
+++ b/fs/ocfs2/super.c
@@ -2369,8 +2369,8 @@ static int ocfs2_verify_volume(struct ocfs2_dinode *di,
 			     (unsigned long long)bh->b_blocknr);
 		} else if (le32_to_cpu(di->id2.i_super.s_clustersize_bits) < 12 ||
 			    le32_to_cpu(di->id2.i_super.s_clustersize_bits) > 20) {
-			mlog(ML_ERROR, "bad cluster size found: %u\n",
-			     1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits));
+			mlog(ML_ERROR, "bad cluster size bit found: %u\n",
+			     le32_to_cpu(di->id2.i_super.s_clustersize_bits));
 		} else if (!le64_to_cpu(di->id2.i_super.s_root_blkno)) {
 			mlog(ML_ERROR, "bad root_blkno: 0\n");
 		} else if (!le64_to_cpu(di->id2.i_super.s_system_dir_blkno)) {
-- 
2.43.0

Re: [PATCH 5.15.y] ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume

[Greg KH]

On Tue, Mar 24, 2026 at 07:04:58AM +0000, 1016331059@qq.com wrote:
> This patch is a backport to stable 5.15.y of upstream commit
> 7f86b2942791012ac7b4c481d1f84a58fd2fbcfc
> ("ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()").

This was attached, and could not be applied directly.  Please submit the
patch inline.

thanks,

greg k-h

[PATCH 5.15.y] ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume

[1016331059]

This patch is a backport to stable 5.15.y of upstream commit
7f86b2942791012ac7b4c481d1f84a58fd2fbcfc
("ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()").

This patch addresses a shift-out-of-bounds error in the
ocfs2_verify_volume() function. The bug can be triggered by an invalid
s_clustersize_bits value, which causes the expression

  1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits)

to exceed the valid shift range of a 32-bit integer, leading to an
out-of-bounds shift reported by UBSAN.

Instead of performing the invalid shift while printing the error message,
log the raw s_clustersize_bits value directly.

This backport was also tested by syzbot on Linux 5.15.201
(commit 3330a8d33e086f76608bb4e80a3dc569d04a8814 in the stable 5.15.y
tree), and the reproducer did not trigger any issue.

[ Upstream commit 7f86b2942791012ac7b4c481d1f84a58fd2fbcfc ]

Link: https://lkml.kernel.org/r/ZsPvwQAXd5R/jNY+@hostname
Reported-by: syzbot <syzbot+f3fff775402751ebb471@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=f3fff775402751ebb471
Tested-by: syzbot <syzbot+f3fff775402751ebb471@syzkaller.appspotmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Link: https://syzkaller.appspot.com/bug?extid=c6104ecfe56e0fd6b616
Tested-by: syzbot <syzbot+c6104ecfe56e0fd6b616@syzkaller.appspotmail.com>
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
Signed-off-by: Changjian Liu <driz2t@qq.com>
---
 fs/ocfs2/super.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
index bb174009206e..ae2ba616756d 100644
--- a/fs/ocfs2/super.c
+++ b/fs/ocfs2/super.c
@@ -2369,8 +2369,8 @@ static int ocfs2_verify_volume(struct ocfs2_dinode *di,
 			     (unsigned long long)bh->b_blocknr);
 		} else if (le32_to_cpu(di->id2.i_super.s_clustersize_bits) < 12 ||
 			    le32_to_cpu(di->id2.i_super.s_clustersize_bits) > 20) {
-			mlog(ML_ERROR, "bad cluster size found: %u\n",
-			     1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits));
+			mlog(ML_ERROR, "bad cluster size bit found: %u\n",
+			     le32_to_cpu(di->id2.i_super.s_clustersize_bits));
 		} else if (!le64_to_cpu(di->id2.i_super.s_root_blkno)) {
 			mlog(ML_ERROR, "bad root_blkno: 0\n");
 		} else if (!le64_to_cpu(di->id2.i_super.s_system_dir_blkno)) {
-- 
2.43.0

Re: [PATCH 5.15.y] ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume

[Greg KH]

On Tue, Mar 24, 2026 at 08:51:42AM +0000, 1016331059@qq.com wrote:
> This patch is a backport to stable 5.15.y of upstream commit
> 7f86b2942791012ac7b4c481d1f84a58fd2fbcfc
> ("ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()").

You forgot all the newer kernels as well, we can't take patches for only
older stable branches.  Please provide backports for all of them and
resend this one then.

thanks,

greg k-h