syzbot report slab-out-of-bounds in journal_entry_dev_usage_to_text, it because vstruct_bytes(entry) smaller than sizeof(struct jset_entry_dev_usage), overflow occurs when calculating the difference in jset_entry_dev_usage_nr_types(u).
Reported-by: syzbot+05d7520be047c9be8...@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eada...@qq.com> --- fs/bcachefs/bcachefs_format.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fs/bcachefs/bcachefs_format.h b/fs/bcachefs/bcachefs_format.h index e3b1bde489c3..d536da101e89 100644 --- a/fs/bcachefs/bcachefs_format.h +++ b/fs/bcachefs/bcachefs_format.h @@ -1252,6 +1252,11 @@ struct jset_entry_dev_usage { static inline unsigned jset_entry_dev_usage_nr_types(struct jset_entry_dev_usage *u) { + if (vstruct_bytes(&u->entry) < sizeof(struct jset_entry_dev_usage)) { + pr_info("entry data bytes %u is too small", vstruct_bytes(&u->entry)); + return 0; + } + return (vstruct_bytes(&u->entry) - sizeof(struct jset_entry_dev_usage)) / sizeof(struct jset_entry_dev_usage_type); } -- 2.43.0