Re: [PATCH 5.15.y] ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume

[Greg KH]

On Tue, Mar 24, 2026 at 07:04:58AM +0000, 10163...@qq.com wrote:
> This patch is a backport to stable 5.15.y of upstream commit
> 7f86b2942791012ac7b4c481d1f84a58fd2fbcfc
> ("ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()").

This was attached, and could not be applied directly. Please submit the
patch inline.

thanks,

greg k-h

[10163...@qq.com]

This patch is a backport to stable 5.15.y of upstream commit

7f86b2942791012ac7b4c481d1f84a58fd2fbcfc

("ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()").

This patch addresses a shift-out-of-bounds error in the

ocfs2_verify_volume() function. The bug can be triggered by an invalid

s_clustersize_bits value, which causes the expression

  1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits)

to exceed the valid shift range of a 32-bit integer, leading to an

out-of-bounds shift reported by UBSAN.

Instead of performing the invalid shift while printing the error message,

log the raw s_clustersize_bits value directly.

This backport was also tested by syzbot on Linux 5.15.201

(commit 3330a8d33e086f76608bb4e80a3dc569d04a8814 in the stable 5.15.y

tree), and the reproducer did not trigger any issue.

[ Upstream commit 7f86b2942791012ac7b4c481d1f84a58fd2fbcfc ]

Link: https://lkml.kernel.org/r/ZsPvwQAXd5R/jNY+@hostname

Reported-by: syzbot <syzbot+f3fff7...@syzkaller.appspotmail.com>

Closes: https://syzkaller.appspot.com/bug?extid=f3fff775402751ebb471

Tested-by: syzbot <syzbot+f3fff7...@syzkaller.appspotmail.com>

Reviewed-by: Joseph Qi <jose...@linux.alibaba.com>

Link: https://syzkaller.appspot.com/bug?extid=c6104ecfe56e0fd6b616

Tested-by: syzbot <syzbot+c6104e...@syzkaller.appspotmail.com>

Signed-off-by: Qasim Ijaz <qasd...@gmail.com>

Signed-off-by: Changjian Liu <dri...@qq.com>

[10163...@qq.com]

---

 fs/ocfs2/super.c | 4 ++--

 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c

index bb174009206e..ae2ba616756d 100644

--- a/fs/ocfs2/super.c

+++ b/fs/ocfs2/super.c

@@ -2369,8 +2369,8 @@ static int ocfs2_verify_volume(struct ocfs2_dinode *di,

                       (unsigned long long)bh->b_blocknr);

            } else if (le32_to_cpu(di->id2.i_super.s_clustersize_bits) < 12 ||

                      le32_to_cpu(di->id2.i_super.s_clustersize_bits) > 20) {

-                 mlog(ML_ERROR, "bad cluster size found: %u\n",

-                      1 << le32_to_cpu(di->id2.i_super.s_clustersize_bits));

+                 mlog(ML_ERROR, "bad cluster size bit found: %u\n",

+                      le32_to_cpu(di->id2.i_super.s_clustersize_bits));

            } else if (!le64_to_cpu(di->id2.i_super.s_root_blkno)) {

                  mlog(ML_ERROR, "bad root_blkno: 0\n");

            } else if (!le64_to_cpu(di->id2.i_super.s_system_dir_blkno)) {

--

2.43.0

[10163...@qq.com]

[Greg KH]

On Tue, Mar 24, 2026 at 08:51:42AM +0000, 10163...@qq.com wrote:
> This patch is a backport to stable 5.15.y of upstream commit
> 7f86b2942791012ac7b4c481d1f84a58fd2fbcfc
> ("ocfs2: fix shift-out-of-bounds UBSAN bug in ocfs2_verify_volume()").

You forgot all the newer kernels as well, we can't take patches for only
older stable branches. Please provide backports for all of them and
resend this one then.

thanks,

greg k-h