jfs: check if leafidx greater than num leaves per dmap tree

syzbot report a out of bounds in dbSplit, it because dmt_leafidx greater
than num leaves per dmap tree, add a checking for dmt_leafidx in dbFindLeaf.

Shaggy:
Modified sanity check to apply to control pages as well as leaf pages.

Reported-and-tested-by: syzbot+dca05492eff41f604890@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=dca05492eff41f604890
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>

diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 8847e8c5d5b4532d8c0bd9f8ef0c94011ee3e6de..974ecf5e0d9522cce2d889c2304afce2e2fbc534 100644 (file)
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2944,9 +2944,10 @@ static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl)
 static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl)
 {
        int ti, n = 0, k, x = 0;
-       int max_size;
+       int max_size, max_idx;
 
        max_size = is_ctl ? CTLTREESIZE : TREESIZE;
+       max_idx = is_ctl ? LPERCTL : LPERDMAP;
 
        /* first check the root of the tree to see if there is
         * sufficient free space.
@@ -2978,6 +2979,8 @@ static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl)
                 */
                assert(n < 4);
        }
+       if (le32_to_cpu(tp->dmt_leafidx) >= max_idx)
+               return -ENOSPC;
 
        /* set the return to the leftmost leaf describing sufficient
         * free space.