From 81340acf017eba683a00bccea187242d92c2960a Mon Sep 17 00:00:00 2001
From: Ghanshyam Agrawal <ghanshyam1898@gmail.com>
Date: Mon, 30 Sep 2024 13:16:46 +0530
Subject: [PATCH] jfs: fix shift-out-of-bounds in dbSplit
To: shaggy@kernel.org,
    ghandatmanas@gmail.com,
    juntong.deng@outlook.com,
    aha310510@gmail.com,
    peili.dev@gmail.com,
    ghanshyam1898@gmail.com,
    eadavis@qq.com
Cc: jfs-discussion@lists.sourceforge.net,
    linux-kernel@vger.kernel.org

When dmt_budmin is less than zero, it causes errors
in the later stages. Added a check to return an error beforehand
in dbAllocCtl itself.

Reported-by: syzbot+b5ca8a249162c4b9a7d0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b5ca8a249162c4b9a7d0
Signed-off-by: Ghanshyam Agrawal <ghanshyam1898@gmail.com>
---
 fs/jfs/jfs_dmap.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 974ecf5e0d95..f65a07252c22 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -1808,6 +1808,7 @@ dbAllocCtl(struct bmap * bmp, s64 nblocks, int l2nb, s64 blkno, s64 * results)
 	s64 b, lblkno, n;
 	struct metapage *mp;
 	struct dmap *dp;
+	dmtree_t *tp;
 
 	/* check if the allocation request is confined to a single dmap.
 	 */
@@ -1819,6 +1820,10 @@ dbAllocCtl(struct bmap * bmp, s64 nblocks, int l2nb, s64 blkno, s64 * results)
 		if (mp == NULL)
 			return -EIO;
 		dp = (struct dmap *) mp->data;
+		tp = (dmtree_t *) &dp->tree;
+
+		if (tp->dmt_budmin < 0)
+			return -EIO;
 
 		/* try to allocate the blocks.
 		 */
-- 
2.34.1