BCC: lkp(a)intel.com CC: kbuild-all(a)lists.01.org In-Reply-To: <20221016012507.428006-1-dzm91@hust.edu.cn> References: <20221016012507.428006-1-dzm91@hust.edu.cn> TO: Dongliang Mu TO: Dave Kleikamp CC: Dongliang Mu CC: syzbot+15342c1aa6a00fb7a438(a)syzkaller.appspotmail.com CC: jfs-discussion(a)lists.sourceforge.net CC: linux-kernel(a)vger.kernel.org Hi Dongliang, Thank you for the patch! Perhaps something to improve: [auto build test WARNING on v6.1-rc1] [also build test WARNING on linus/master next-20221017] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/Dongliang-Mu/fs-jfs-fix-shift-out-of-bounds-in-dbAllocAG/20221017-112358 patch link: https://lore.kernel.org/r/20221016012507.428006-1-dzm91%40hust.edu.cn patch subject: [PATCH v2] fs: jfs: fix shift-out-of-bounds in dbAllocAG :::::: branch date: 16 hours ago :::::: commit date: 16 hours ago config: m68k-randconfig-m041-20221017 compiler: m68k-linux-gcc (GCC) 12.1.0 If you fix the issue, kindly add following tag where applicable | Reported-by: kernel test robot | Reported-by: Dan Carpenter smatch warnings: fs/jfs/jfs_dmap.c:196 dbMount() warn: impossible condition '(bmp->db_bmap.dn_agl2size > (1 << (13 + 3 * 10)) - 7) => (s32min-s32max > 8796093022201)' vim +196 fs/jfs/jfs_dmap.c ^1da177e4c3f4152 Linus Torvalds 2005-04-16 135 ^1da177e4c3f4152 Linus Torvalds 2005-04-16 136 /* ^1da177e4c3f4152 Linus Torvalds 2005-04-16 137 * NAME: dbMount() ^1da177e4c3f4152 Linus Torvalds 2005-04-16 138 * ^1da177e4c3f4152 Linus Torvalds 2005-04-16 139 * FUNCTION: initializate the block allocation map. ^1da177e4c3f4152 Linus Torvalds 2005-04-16 140 * ^1da177e4c3f4152 Linus Torvalds 2005-04-16 141 * memory is allocated for the in-core bmap descriptor and ^1da177e4c3f4152 Linus Torvalds 2005-04-16 142 * the in-core descriptor is initialized from disk. ^1da177e4c3f4152 Linus Torvalds 2005-04-16 143 * ^1da177e4c3f4152 Linus Torvalds 2005-04-16 144 * PARAMETERS: ^1da177e4c3f4152 Linus Torvalds 2005-04-16 145 * ipbmap - pointer to in-core inode for the block map. ^1da177e4c3f4152 Linus Torvalds 2005-04-16 146 * ^1da177e4c3f4152 Linus Torvalds 2005-04-16 147 * RETURN VALUES: ^1da177e4c3f4152 Linus Torvalds 2005-04-16 148 * 0 - success ^1da177e4c3f4152 Linus Torvalds 2005-04-16 149 * -ENOMEM - insufficient memory ^1da177e4c3f4152 Linus Torvalds 2005-04-16 150 * -EIO - i/o error 2cc7cc01c15f57d0 Pavel Skripkin 2022-03-19 151 * -EINVAL - wrong bmap data ^1da177e4c3f4152 Linus Torvalds 2005-04-16 152 */ ^1da177e4c3f4152 Linus Torvalds 2005-04-16 153 int dbMount(struct inode *ipbmap) ^1da177e4c3f4152 Linus Torvalds 2005-04-16 154 { ^1da177e4c3f4152 Linus Torvalds 2005-04-16 155 struct bmap *bmp; ^1da177e4c3f4152 Linus Torvalds 2005-04-16 156 struct dbmap_disk *dbmp_le; ^1da177e4c3f4152 Linus Torvalds 2005-04-16 157 struct metapage *mp; bd1f589cbe4b4b04 Dongliang Mu 2022-10-16 158 int i, err; ^1da177e4c3f4152 Linus Torvalds 2005-04-16 159 ^1da177e4c3f4152 Linus Torvalds 2005-04-16 160 /* ^1da177e4c3f4152 Linus Torvalds 2005-04-16 161 * allocate/initialize the in-memory bmap descriptor ^1da177e4c3f4152 Linus Torvalds 2005-04-16 162 */ ^1da177e4c3f4152 Linus Torvalds 2005-04-16 163 /* allocate memory for the in-memory bmap descriptor */ ^1da177e4c3f4152 Linus Torvalds 2005-04-16 164 bmp = kmalloc(sizeof(struct bmap), GFP_KERNEL); ^1da177e4c3f4152 Linus Torvalds 2005-04-16 165 if (bmp == NULL) ^1da177e4c3f4152 Linus Torvalds 2005-04-16 166 return -ENOMEM; ^1da177e4c3f4152 Linus Torvalds 2005-04-16 167 ^1da177e4c3f4152 Linus Torvalds 2005-04-16 168 /* read the on-disk bmap descriptor. */ ^1da177e4c3f4152 Linus Torvalds 2005-04-16 169 mp = read_metapage(ipbmap, ^1da177e4c3f4152 Linus Torvalds 2005-04-16 170 BMAPBLKNO << JFS_SBI(ipbmap->i_sb)->l2nbperpage, ^1da177e4c3f4152 Linus Torvalds 2005-04-16 171 PSIZE, 0); ^1da177e4c3f4152 Linus Torvalds 2005-04-16 172 if (mp == NULL) { bd1f589cbe4b4b04 Dongliang Mu 2022-10-16 173 err = -EIO; bd1f589cbe4b4b04 Dongliang Mu 2022-10-16 174 goto err_kfree_bmp; ^1da177e4c3f4152 Linus Torvalds 2005-04-16 175 } ^1da177e4c3f4152 Linus Torvalds 2005-04-16 176 ^1da177e4c3f4152 Linus Torvalds 2005-04-16 177 /* copy the on-disk bmap descriptor to its in-memory version. */ ^1da177e4c3f4152 Linus Torvalds 2005-04-16 178 dbmp_le = (struct dbmap_disk *) mp->data; ^1da177e4c3f4152 Linus Torvalds 2005-04-16 179 bmp->db_mapsize = le64_to_cpu(dbmp_le->dn_mapsize); ^1da177e4c3f4152 Linus Torvalds 2005-04-16 180 bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree); ^1da177e4c3f4152 Linus Torvalds 2005-04-16 181 bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage); ^1da177e4c3f4152 Linus Torvalds 2005-04-16 182 bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag); 2cc7cc01c15f57d0 Pavel Skripkin 2022-03-19 183 if (!bmp->db_numag) { bd1f589cbe4b4b04 Dongliang Mu 2022-10-16 184 err = -EINVAL; bd1f589cbe4b4b04 Dongliang Mu 2022-10-16 185 goto err_release_metapage; 2cc7cc01c15f57d0 Pavel Skripkin 2022-03-19 186 } 2cc7cc01c15f57d0 Pavel Skripkin 2022-03-19 187 ^1da177e4c3f4152 Linus Torvalds 2005-04-16 188 bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel); ^1da177e4c3f4152 Linus Torvalds 2005-04-16 189 bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag); ^1da177e4c3f4152 Linus Torvalds 2005-04-16 190 bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref); ^1da177e4c3f4152 Linus Torvalds 2005-04-16 191 bmp->db_aglevel = le32_to_cpu(dbmp_le->dn_aglevel); d7eecb483cc29e92 Daniel Mack 2010-01-28 192 bmp->db_agheight = le32_to_cpu(dbmp_le->dn_agheight); ^1da177e4c3f4152 Linus Torvalds 2005-04-16 193 bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth); ^1da177e4c3f4152 Linus Torvalds 2005-04-16 194 bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart); ^1da177e4c3f4152 Linus Torvalds 2005-04-16 195 bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size); bd1f589cbe4b4b04 Dongliang Mu 2022-10-16 @196 if (bmp->db_agl2size > MAXMAPSIZE - L2MAXAG) { bd1f589cbe4b4b04 Dongliang Mu 2022-10-16 197 err = -EINVAL; bd1f589cbe4b4b04 Dongliang Mu 2022-10-16 198 goto err_release_metapage; bd1f589cbe4b4b04 Dongliang Mu 2022-10-16 199 } bd1f589cbe4b4b04 Dongliang Mu 2022-10-16 200 ^1da177e4c3f4152 Linus Torvalds 2005-04-16 201 for (i = 0; i < MAXAG; i++) ^1da177e4c3f4152 Linus Torvalds 2005-04-16 202 bmp->db_agfree[i] = le64_to_cpu(dbmp_le->dn_agfree[i]); ^1da177e4c3f4152 Linus Torvalds 2005-04-16 203 bmp->db_agsize = le64_to_cpu(dbmp_le->dn_agsize); ^1da177e4c3f4152 Linus Torvalds 2005-04-16 204 bmp->db_maxfreebud = dbmp_le->dn_maxfreebud; ^1da177e4c3f4152 Linus Torvalds 2005-04-16 205 ^1da177e4c3f4152 Linus Torvalds 2005-04-16 206 /* release the buffer. */ ^1da177e4c3f4152 Linus Torvalds 2005-04-16 207 release_metapage(mp); ^1da177e4c3f4152 Linus Torvalds 2005-04-16 208 ^1da177e4c3f4152 Linus Torvalds 2005-04-16 209 /* bind the bmap inode and the bmap descriptor to each other. */ ^1da177e4c3f4152 Linus Torvalds 2005-04-16 210 bmp->db_ipbmap = ipbmap; ^1da177e4c3f4152 Linus Torvalds 2005-04-16 211 JFS_SBI(ipbmap->i_sb)->bmap = bmp; ^1da177e4c3f4152 Linus Torvalds 2005-04-16 212 ^1da177e4c3f4152 Linus Torvalds 2005-04-16 213 memset(bmp->db_active, 0, sizeof(bmp->db_active)); ^1da177e4c3f4152 Linus Torvalds 2005-04-16 214 ^1da177e4c3f4152 Linus Torvalds 2005-04-16 215 /* ^1da177e4c3f4152 Linus Torvalds 2005-04-16 216 * allocate/initialize the bmap lock ^1da177e4c3f4152 Linus Torvalds 2005-04-16 217 */ ^1da177e4c3f4152 Linus Torvalds 2005-04-16 218 BMAP_LOCK_INIT(bmp); ^1da177e4c3f4152 Linus Torvalds 2005-04-16 219 ^1da177e4c3f4152 Linus Torvalds 2005-04-16 220 return (0); bd1f589cbe4b4b04 Dongliang Mu 2022-10-16 221 bd1f589cbe4b4b04 Dongliang Mu 2022-10-16 222 err_release_metapage: bd1f589cbe4b4b04 Dongliang Mu 2022-10-16 223 release_metapage(mp); bd1f589cbe4b4b04 Dongliang Mu 2022-10-16 224 err_kfree_bmp: bd1f589cbe4b4b04 Dongliang Mu 2022-10-16 225 kfree(bmp); bd1f589cbe4b4b04 Dongliang Mu 2022-10-16 226 return err; ^1da177e4c3f4152 Linus Torvalds 2005-04-16 227 } ^1da177e4c3f4152 Linus Torvalds 2005-04-16 228 -- 0-DAY CI Kernel Test Service https://01.org/lkp