Re: [syzbot] ocfs2: shift-out-of-bounds UBSAN bug in ocfs2_verify_volume

Re: [syzbot] ocfs2: shift-out-of-bounds UBSAN bug in ocfs2_verify_volume

[1016331059]

Hi Syzbot,

This patch is a fix for the bug reported by you.
Bug ID: c6104ecfe56e0fd6b616
Link: https://syzkaller.appspot.com/bug?extid=c6104ecfe56e0fd6b616

This patch is a backport to stable 5.15.y of upstream commit
7f86b2942791012ac7b4c481d1f84a58fd2fbcfc
("ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()").

Please test it on the public 5.15.y tree below.

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git 3330a8d33e086f76608bb4e80a3dc569d04a8814

From ae310006fc6e06c233b8d6780b2a2c6a16d6d708 Mon Sep 17 00:00:00 2001
From: Changjian Liu <driz2t@qq.com>
Date: Mon, 23 Mar 2026 11:39:19 +0800
Subject: [PATCH] ocfs2: fix shift-out-of-bounds UBSAN bug in
 ocfs2_verify_volume()

This patch is a backport to stable 5.15.y of upstream commit
7f86b2942791012ac7b4c481d1f84a58fd2fbcfc
("ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()").

This patch addresses a shift-out-of-bounds error in the
ocfs2_verify_volume() function, identified by UBSAN. The bug was
triggered by an invalid s_clustersize_bits value (e.g., 1548), which
caused the expression

  1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits)

to exceed the limits of a 32-bit integer, leading to an out-of-bounds
shift.

Instead of shifting by an invalid bit count while reporting the error,
log the raw s_clustersize_bits value directly.

[ Upstream commit 7f86b2942791012ac7b4c481d1f84a58fd2fbcfc ]
---
 fs/ocfs2/super.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
index bb174009206e..ae2ba616756d 100644
--- a/fs/ocfs2/super.c
+++ b/fs/ocfs2/super.c
@@ -2369,8 +2369,8 @@ static int ocfs2_verify_volume(struct ocfs2_dinode *di,
                  (unsigned long long)bh->b_blocknr);
         } else if (le32_to_cpu(di->id2.i_super.s_clustersize_bits) < 12 ||
                 le32_to_cpu(di->id2.i_super.s_clustersize_bits) > 20) {
-            mlog(ML_ERROR, "bad cluster size found: %u\n",
-                 1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits));
+            mlog(ML_ERROR, "bad cluster size bit found: %u\n",
+                 le32_to_cpu(di->id2.i_super.s_clustersize_bits));
         } else if (!le64_to_cpu(di->id2.i_super.s_root_blkno)) {
             mlog(ML_ERROR, "bad root_blkno: 0\n");
         } else if (!le64_to_cpu(di->id2.i_super.s_system_dir_blkno)) {
-- 
2.43.0

Thanks,
Changjian Liu

Re: [v5.15] UBSAN: shift-out-of-bounds in ocfs2_fill_super

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file fs/ocfs2/super.c
Hunk #1 FAILED at 2369.
1 out of 1 hunk FAILED



Tested on:

commit:         3330a8d3 Linux 5.15.201
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
kernel config:  https://syzkaller.appspot.com/x/.config?x=e1bb6d24ef2164eb
dashboard link: https://syzkaller.appspot.com/bug?extid=c6104ecfe56e0fd6b616
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=14ce97ef980000