[PATCH] jfs: fix slab-out-of-bounds read in dbAllocBits

Next message: Gary Guo: "Re: [PATCH v3 4/4] rust: make `build_assert` module the home of related macros"
Previous message: Shigeru Yoshida: "[PATCH] mm/zsmalloc: copy KMSAN metadata in zs_page_migrate()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jun Yeong Kim

Date: Sat Mar 21 2026 - 09:30:13 EST

When the underlying loop device backend storage is
dynamically changed (e.g., via LOOP_SET_FD), JFS fails
to update its internal block allocation metadata.
This causes the `dbAllocBits` function to use outdated
db_agl2size information, resulting in a wrong,
oversized agno value.

This oversized agno leads to a slab-out-of-bounds read access when
accessing mp->db_agfree[agno].

Fix this by adding a bounds check for the calculated agno. If agno
is less than 0 or exceeds MAXAG, return -EIO to prevent the OOB access.

Reported-by: Kun Hu <huk23@xxxxxxxxxxxxxx>
Reported-by: Jiaji Qin <jjtan24@xxxxxxxxxxxxxx>
Reported-by: Shuoran Bai <baishuoran@xxxxxxxxxxxx>
Closes: https://syzkaller.appspot.com/bug?extid=0be47376a6acbcba7f0d
Signed-off-by: Jun Yeong Kim <junyeonggim5@xxxxxxxxx>
---
fs/jfs/jfs_dmap.c | 9 +++++++++
1 file changed, 9 insertions(+)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index cb3cda1390ad..79816849aebb 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2288,6 +2288,15 @@ static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno,
dmtree_t *tp = (dmtree_t *) & dp->tree;
int rc = 0;
int size;
+
+ {
+ int check_agno = blkno >> bmp->db_agl2size;
+
+ if (check_agno >= MAXAG || check_agno < 0) {
+ pr_err("JFS: agno out of bounds in dbAllocBits!\n");
+ return -EIO;
+ }
+ }

/* determine the bit number and word within the dmap of the
* starting block.
--
2.47.3