From: "1016331059@qq.com" <1016331059@qq.com>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>
Cc: "mark@fasheh.com" <mark@fasheh.com>,
"jlbec@evilplan.org" <jlbec@evilplan.org>,
"joseph.qi@linux.alibaba.com" <joseph.qi@linux.alibaba.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"syzkaller-bugs@googlegroups.com"
<syzkaller-bugs@googlegroups.com>,
"syzbot+c6104ecfe56e0fd6b616@syzkaller.appspotmail.com"
<syzbot+c6104ecfe56e0fd6b616@syzkaller.appspotmail.com>
Subject: [PATCH 5.15.y] ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume
Date: Tue, 24 Mar 2026 07:04:58 +0000 [thread overview]
Message-ID: <tencent_BA29A271C331E1BB2072C04E5D55C1B90405@qq.com> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 1479 bytes --]
This patch is a backport to stable 5.15.y of upstream commit
7f86b2942791012ac7b4c481d1f84a58fd2fbcfc
("ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()").
This patch addresses a shift-out-of-bounds error in the
ocfs2_verify_volume() function. The bug can be triggered by an invalid
s_clustersize_bits value, which causes the expression
1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits)
to exceed the valid shift range of a 32-bit integer, leading to an
out-of-bounds shift reported by UBSAN.
Instead of performing the invalid shift while printing the error message,
log the raw s_clustersize_bits value directly.
This backport was also tested by syzbot on Linux 5.15.201
(commit 3330a8d33e086f76608bb4e80a3dc569d04a8814 in the stable 5.15.y
tree), and the reproducer did not trigger any issue.
[ Upstream commit 7f86b2942791012ac7b4c481d1f84a58fd2fbcfc ]
Link: https://lkml.kernel.org/r/ZsPvwQAXd5R/jNY+@hostname
Reported-by: syzbot <syzbot+f3fff775402751ebb471@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=f3fff775402751ebb471
Tested-by: syzbot <syzbot+f3fff775402751ebb471@syzkaller.appspotmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Link: https://syzkaller.appspot.com/bug?extid=c6104ecfe56e0fd6b616
Tested-by: syzbot <syzbot+c6104ecfe56e0fd6b616@syzkaller.appspotmail.com>
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
Signed-off-by: Changjian Liu <driz2t@qq.com>
[-- Attachment #1.2: Type: text/html, Size: 7139 bytes --]
[-- Attachment #2: c6104ecfe56e0fd6b616.patch --]
[-- Type: application/octet-stream, Size: 2568 bytes --]
From ae310006fc6e06c233b8d6780b2a2c6a16d6d708 Mon Sep 17 00:00:00 2001
From: Changjian Liu <driz2t@qq.com>
Date: Mon, 23 Mar 2026 11:39:19 +0800
Subject: [PATCH 5.15.y] ocfs2: fix shift-out-of-bounds UBSAN bug in
ocfs2_verify_volume()
This patch is a backport to stable 5.15.y of upstream commit
7f86b2942791012ac7b4c481d1f84a58fd2fbcfc
("ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()").
This patch addresses a shift-out-of-bounds error in the
ocfs2_verify_volume() function. The bug can be triggered by an invalid
s_clustersize_bits value, which causes the expression
1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits)
to exceed the valid shift range of a 32-bit integer, leading to an
out-of-bounds shift reported by UBSAN.
Instead of performing the invalid shift while printing the error message,
log the raw s_clustersize_bits value directly.
This backport was also tested by syzbot on Linux 5.15.201
(commit 3330a8d33e086f76608bb4e80a3dc569d04a8814 in the stable 5.15.y
tree), and the reproducer did not trigger any issue.
[ Upstream commit 7f86b2942791012ac7b4c481d1f84a58fd2fbcfc ]
Link: https://lkml.kernel.org/r/ZsPvwQAXd5R/jNY+@hostname
Reported-by: syzbot <syzbot+f3fff775402751ebb471@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=f3fff775402751ebb471
Tested-by: syzbot <syzbot+f3fff775402751ebb471@syzkaller.appspotmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Link: https://syzkaller.appspot.com/bug?extid=c6104ecfe56e0fd6b616
Tested-by: syzbot <syzbot+c6104ecfe56e0fd6b616@syzkaller.appspotmail.com>
Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
Signed-off-by: Changjian Liu <driz2t@qq.com>
---
fs/ocfs2/super.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
index bb174009206e..ae2ba616756d 100644
--- a/fs/ocfs2/super.c
+++ b/fs/ocfs2/super.c
@@ -2369,8 +2369,8 @@ static int ocfs2_verify_volume(struct ocfs2_dinode *di,
(unsigned long long)bh->b_blocknr);
} else if (le32_to_cpu(di->id2.i_super.s_clustersize_bits) < 12 ||
le32_to_cpu(di->id2.i_super.s_clustersize_bits) > 20) {
- mlog(ML_ERROR, "bad cluster size found: %u\n",
- 1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits));
+ mlog(ML_ERROR, "bad cluster size bit found: %u\n",
+ le32_to_cpu(di->id2.i_super.s_clustersize_bits));
} else if (!le64_to_cpu(di->id2.i_super.s_root_blkno)) {
mlog(ML_ERROR, "bad root_blkno: 0\n");
} else if (!le64_to_cpu(di->id2.i_super.s_system_dir_blkno)) {
--
2.43.0
next reply other threads:[~2026-03-24 7:05 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-24 7:04 1016331059 [this message]
2026-03-24 7:45 ` [PATCH 5.15.y] ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume Greg KH
-- strict thread matches above, loose matches on Subject: below --
2026-03-24 8:51 1016331059
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tencent_BA29A271C331E1BB2072C04E5D55C1B90405@qq.com \
--to=1016331059@qq.com \
--cc=jlbec@evilplan.org \
--cc=joseph.qi@linux.alibaba.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mark@fasheh.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+c6104ecfe56e0fd6b616@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox