From: Edward Adam Davis eadavis@qq.com
[ Upstream commit 2d04df8116426b6c7b9f8b9b371250f666a2a2fb ]
The reproducer builds a corrupted file on disk with a negative i_size value. Add a check when opening this file to avoid subsequent operation failures.
Reported-by: syzbot+630f6d40b3ccabc8e96e@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=630f6d40b3ccabc8e96e Tested-by: syzbot+630f6d40b3ccabc8e96e@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis eadavis@qq.com Signed-off-by: Dave Kleikamp dave.kleikamp@oracle.com Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
**YES**
This commit should be backported to stable kernel trees for the following reasons:
## Bug Fix Nature The commit fixes a **data corruption vulnerability** where a corrupted JFS filesystem can have regular files with negative `i_size` values. This is clearly a bug that affects users, as evidenced by: - The syzbot report indicating this was found through fuzzing - The potential for subsequent operation failures when accessing such corrupted files
## Security and Stability Impact 1. **Prevents kernel crashes/errors**: Without this check, opening a file with negative `i_size` can lead to subsequent operation failures and potentially undefined behavior when the negative size is used in calculations (line 63 checks `inode->i_size == 0`)
2. **Similar to other filesystem protections**: The analysis shows EROFS has a similar check (fs/erofs/inode.c:134-137) that returns `-EFSCORRUPTED` for negative i_size, indicating this is a recognized filesystem corruption pattern that needs protection
## Minimal and Contained Fix The fix is: - **Only 3 lines of code** - extremely minimal change - **Early validation** at file open time - prevents issues before they cascade - **No architectural changes** - just adds a simple validation check - **No new features** - purely defensive programming - **Confined to JFS subsystem** - doesn't affect other kernel components
## Low Risk of Regression - The check only triggers for already-corrupted filesystems (negative i_size is never valid for regular files) - Returns standard `-EIO` error that applications already handle - Placed before any other operations, minimizing interaction with existing code - Tests confirm the fix works (Tested-by tag from syzbot)
## Stable Tree Criteria Met This perfectly fits the stable kernel rules: - Fixes a real bug (filesystem corruption handling) - Minimal change (3 lines) - Obviously correct (negative file sizes are invalid) - Already tested - No new functionality
The commit prevents potential kernel instability, data corruption issues, or security vulnerabilities when dealing with corrupted JFS filesystems, making it an ideal candidate for stable backporting.
fs/jfs/file.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/fs/jfs/file.c b/fs/jfs/file.c index 01b6912e60f8..742cadd1f37e 100644 --- a/fs/jfs/file.c +++ b/fs/jfs/file.c @@ -44,6 +44,9 @@ static int jfs_open(struct inode *inode, struct file *file) { int rc;
+ if (S_ISREG(inode->i_mode) && inode->i_size < 0) + return -EIO; + if ((rc = dquot_file_open(inode, file))) return rc;