[PATCH] jfs: validate budmin to prevent shift-out-of-bounds in dbAllocAG()
From: Sukrut Heroorkar
Date: Sat Oct 18 2025 - 01:32:26 EST
syzbot reported "UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:1440:48
shift exponent -1 is negative".
The budmin value can have a negative value and cause shift-out-of-
-bounds from UBSAN.
Add a check on budmin immediately after reading it from the metapage,
and return an error if it's negative. This prevents UBSAN reports and
correctly treats corrupted metadata as an I/O error.
Reported-by: syzbot+4b717071f1eecb2972df@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=4b717071f1eecb2972df
Tested-by: syzbot+4b717071f1eecb2972df@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Sukrut Heroorkar <hsukrut3@xxxxxxxxx>
---
fs/jfs/jfs_dmap.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index cdfa699cd7c8..76f4b9322034 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -1372,6 +1372,12 @@ dbAllocAG(struct bmap * bmp, int agno, s64 nblocks, int l2nb, s64 * results)
dcp = (struct dmapctl *) mp->data;
budmin = dcp->budmin;
+ if (unlikely(budmin < 0)) {
+ jfs_err("JFS: dmapctl corruption: budmin=%d", budmin);
+ release_metapage(mp);
+ return -EIO;
+ }
+
if (dcp->leafidx != cpu_to_le32(CTLLEAFIND)) {
jfs_error(bmp->db_ipbmap->i_sb, "Corrupt dmapctl page\n");
release_metapage(mp);
--
2.43.0