Commit 7816bc95 authored Aug 28, 2024 by Pei Li Committed by GONG Ruiqi Aug 28, 2024

jfs: Fix shift-out-of-bounds in dbDiscardAG

mainline inclusion
from mainline-v6.11-rc1
commit 7063b80268e2593e58bee8a8d709c2f3ff93e2f2
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAMMML
CVE: CVE-2024-44938

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7063b80268e2593e58bee8a8d709c2f3ff93e2f2



-------------------------------------------------

When searching for the next smaller log2 block, BLKSTOL2() returned 0,
causing shift exponent -1 to be negative.

This patch fixes the issue by exiting the loop directly when negative
shift is found.

Reported-by:  <syzbot+61be3359d2ee3467e7e4@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=61be3359d2ee3467e7e4


Signed-off-by: Pei Li <peili.dev@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: GONG Ruiqi <gongruiqi1@huawei.com>

parent a3e2493c

fs/jfs/jfs_dmap.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -1694,6 +1694,8 @@ s64 dbDiscardAG(struct inode *ip, int agno, s64 minlen)
		} else if (rc == -ENOSPC) {
		/* search for next smaller log2 block */
		l2nb = BLKSTOL2(nblocks) - 1;
		if (unlikely(l2nb < 0))
		break;
		nblocks = 1LL << l2nb;
		} else {
		/* Trim any already allocated blocks */