Re: [PATCH] jfs: dtInsertEntry can result in buffer overflow on corrupted jfs filesystems

[Dave Kleikamp]

On 12/1/25 7:20AM, Jori Koolstra wrote:
> Below syzbot bug has not been fixed yet. If anyone has time I would
> greatly appreciate a review of my patch, so it can be moved along.
> It has been sitting for quite a few weeks.

I've been busy with some other work as well as being out on vacation 
lately. I have several patches to review, but have not forgotten this. 
I'll try to get to it later this week.

Thanks,
Shaggy

> Thanks,
> Jori.
>
> > Op 29-10-2025 00:23 CET schreef Jori Koolstra <jkoolstra@xxxxxxxxx>:
> >
> >   
> > Syzbot reported a general protection fault in inode_set_ctime_current.
> > This resulted from the following circumstances: when creating a new file
> > via dtInsert, BT_GETSEARCH may yield a pointer to a dtroot which is
> > embedded directly in the jfs_inode_info. When finally dtInsertEntry is
> > called, if the freelist field or any next field of a slot of the dtpage
> > is corrupted, this may result in memory corruption of the parent
> > directory inode.
> >
> > In this case the i_sb field was corrupted, which raised the gpf when
> > in inode_set_ctime_current i_sb was dereferenced to access s_time_gran.
> >
> > I tested the patch using the syzbot reproducer and doing some basic
> > filesystem operations on a fresh jfs fs, such as "cp -r /usr/include/
> > /mnt/jfs/" and "rm -r /mnt/jfs/include/n*"
> >
> > Signed-off-by: Jori Koolstra <jkoolstra@xxxxxxxxx>
> > Reported-by: syzbot+cd7590567cc388f064f3@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Closes: https://syzbot.org/bug?extid=cd7590567cc388f064f3