[PATCH v2] jfs: fix slab-out-of-bounds in dbAllocBits and dbFreeBits
From: Jun Yeong Kim
Date: Sun Mar 22 2026 - 09:38:53 EST
When the underlying loop device backend storage is dynamically changed
(e.g., via LOOP_SET_FD), JFS fails to update its internal block
allocation metadata. This causes dbAllocBits and dbFreeBits to use
stale db_agl2size, producing an out-of-range agno value that leads to
an out-of-bounds access on mp->db_agfree[agno].
Add bounds checks for agno in both dbAllocBits and dbFreeBits. If agno
is negative or exceeds MAXAG, report the error via jfs_error() and
return early to prevent the OOB access.
Reported-by: syzbot+0be47376a6acbcba7f0d@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=0be47376a6acbcba7f0d
Signed-off-by: Jun Yeong Kim <junyeonggim5@xxxxxxxxx>
---
fs/jfs/jfs_dmap.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index cb3cda1390ad..c67ff5df0340 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2142,6 +2142,12 @@ static void dbAllocBits(struct bmap * bmp, struct dmap * dp, s64 blkno,
int size;
s8 *leaf;
+ agno = blkno >> bmp->db_agl2size;
+ if (agno < 0 || agno >= MAXAG) {
+ jfs_error(bmp->db_ipbmap->i_sb, "%s: agno %d out of range\n", __func__, agno);
+ return;
+ }
+
/* pick up a pointer to the leaves of the dmap tree */
leaf = dp->tree.stree + LEAFIND;
@@ -2289,6 +2295,12 @@ static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno,
int rc = 0;
int size;
+ agno = blkno >> bmp->db_agl2size;
+ if (agno < 0 || agno >= MAXAG) {
+ jfs_error(bmp->db_ipbmap->i_sb, "%s: agno %d out of range\n", __func__, agno);
+ return -EIO;
+ }
+
/* determine the bit number and word within the dmap of the
* starting block.
*/
--
2.47.3
This is v2, superseding:
https://lore.kernel.org/all/20260321132917.244818-1-junyeonggim5@xxxxxxxxx/
Changes in v2:
- Fix correct function (dbAllocBits) instead of dbFreeBits
- Add bounds check in dbFreeBits as well for consistency
- Use jfs_error() instead of pr_err()
- Use %s/__func__ instead of hardcoded function name
- Fix indentation issues reported by checkpatch