From: Pei Li peili.dev@gmail.com
[ Upstream commit 7063b80268e2593e58bee8a8d709c2f3ff93e2f2 ]
When searching for the next smaller log2 block, BLKSTOL2() returned 0, causing shift exponent -1 to be negative.
This patch fixes the issue by exiting the loop directly when negative shift is found.
Reported-by: syzbot+61be3359d2ee3467e7e4@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=61be3359d2ee3467e7e4 Signed-off-by: Pei Li peili.dev@gmail.com Signed-off-by: Dave Kleikamp dave.kleikamp@oracle.com Signed-off-by: Guocai He guocai.he.cn@windriver.com --- fs/jfs/jfs_dmap.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index 3fa78e5f9b21..2906c95e837a 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -1694,6 +1694,8 @@ s64 dbDiscardAG(struct inode *ip, int agno, s64 minlen) } else if (rc == -ENOSPC) { /* search for next smaller log2 block */ l2nb = BLKSTOL2(nblocks) - 1; + if (unlikely(l2nb < 0)) + break; nblocks = 1LL << l2nb; } else { /* Trim any already allocated blocks */
On Fri, Dec 13, 2024 at 01:43:50PM +0800, guocai.he.cn@windriver.com wrote:
From: Pei Li peili.dev@gmail.com
[ Upstream commit 7063b80268e2593e58bee8a8d709c2f3ff93e2f2 ]
When searching for the next smaller log2 block, BLKSTOL2() returned 0, causing shift exponent -1 to be negative.
This patch fixes the issue by exiting the loop directly when negative shift is found.
Reported-by: syzbot+61be3359d2ee3467e7e4@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=61be3359d2ee3467e7e4 Signed-off-by: Pei Li peili.dev@gmail.com Signed-off-by: Dave Kleikamp dave.kleikamp@oracle.com Signed-off-by: Guocai He guocai.he.cn@windriver.com
fs/jfs/jfs_dmap.c | 2 ++ 1 file changed, 2 insertions(+)
Now deleted, please see: https://lore.kernel.org/r/2024121322-conjuror-gap-b542@gregkh for what you all need to do, TOGETHER, to get this fixed and so that I can accept patches from your company in the future.
thanks,
greg k-h
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 7063b80268e2593e58bee8a8d709c2f3ff93e2f2
WARNING: Author mismatch between patch and upstream commit: Backport author: guocai.he.cn@windriver.com Commit author: Pei Li peili.dev@gmail.com
Status in newer kernel trees: 6.12.y | Present (exact SHA1) 6.6.y | Present (different SHA1: f650148b4394) 6.1.y | Present (different SHA1: bd04a149e3a2) 5.15.y | Not found
Note: The patch differs from the upstream commit: --- 1: 7063b80268e25 ! 1: 3d07377d81082 jfs: Fix shift-out-of-bounds in dbDiscardAG @@ Metadata ## Commit message ## jfs: Fix shift-out-of-bounds in dbDiscardAG
+ [ Upstream commit 7063b80268e2593e58bee8a8d709c2f3ff93e2f2 ] + When searching for the next smaller log2 block, BLKSTOL2() returned 0, causing shift exponent -1 to be negative.
@@ Commit message Closes: https://syzkaller.appspot.com/bug?extid=61be3359d2ee3467e7e4 Signed-off-by: Pei Li peili.dev@gmail.com Signed-off-by: Dave Kleikamp dave.kleikamp@oracle.com + Signed-off-by: Guocai He guocai.he.cn@windriver.com
## fs/jfs/jfs_dmap.c ## @@ fs/jfs/jfs_dmap.c: s64 dbDiscardAG(struct inode *ip, int agno, s64 minlen) ---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-5.15.y | Success | Success |
linux-stable-mirror@lists.linaro.org
-
Greg KH -
guocai.he.cn@windriver.com -
Sasha Levin