UFS: uspi->s_3apb UBSAN: shift-out-of-bounds
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| linux (Ubuntu) |
Fix Committed
|
Low
|
Agathe Porte | ||
| Jammy |
Fix Released
|
Low
|
Agathe Porte | ||
| Noble |
Fix Released
|
Low
|
Agathe Porte | ||
| Oracular |
Fix Released
|
Low
|
Agathe Porte | ||
Bug Description
[ Impact ]
UBSAN shift-out-of-bounds warning appears on system when some UFS filesystems are mounted.
[ Test Plan ]
Mount the UFS partition with the proposed kernel and verify that the warning
is gone.
[ Where problems could occur ]
Should have zero impact, removes dead code.
[ Original Bug Report ]
Hello!
I have mounted UFS partition (ufstype=ufs2).
Ubuntu allows only read only mounts for UFS by default, so it is mounted with ro option.
I see those messages in the log:
kernel: ------------[ cut here ]------------
kernel: UBSAN: shift-out-of-bounds in /build/
kernel: shift exponent 36 is too large for 32-bit type 'int'
kernel: CPU: 3 PID: 2212 Comm: mount Not tainted 6.8.0-48-generic #48-Ubuntu
kernel: Hardware name: SOYO SY-YL B550M/SY-YL B550M, BIOS 5.17 05/19/2023
kernel: Call Trace:
kernel: <TASK>
kernel: dump_stack_
kernel: dump_stack+
kernel: __ubsan_
kernel: ufs_fill_
kernel: ? sb_set_
kernel: ? __pfx_ufs_
kernel: mount_bdev+
kernel: ufs_mount+0x15/0x30 [ufs]
kernel: legacy_
kernel: vfs_get_
kernel: do_new_
kernel: path_mount+
kernel: ? putname+0x5b/0x80
kernel: __x64_sys_
kernel: x64_sys_
kernel: do_syscall_
kernel: ? srso_return_
kernel: ? mntput+0x24/0x50
kernel: ? srso_return_
kernel: ? path_put+0x1e/0x30
kernel: ? srso_return_
kernel: ? do_faccessat+
kernel: ? srso_return_
kernel: ? syscall_
kernel: ? srso_return_
kernel: ? do_syscall_
kernel: ? srso_return_
kernel: ? syscall_
kernel: ? srso_return_
kernel: ? do_syscall_
kernel: ? srso_return_
kernel: ? __do_sys_
kernel: ? srso_return_
kernel: ? srso_return_
kernel: ? syscall_
kernel: ? srso_return_
kernel: ? do_syscall_
kernel: ? srso_return_
kernel: ? irqentry_
kernel: ? srso_return_
kernel: ? exc_page_
kernel: entry_SYSCALL_
kernel: RIP: 0033:0x7417b2d2af0e
kernel: Code: 48 8b 0d 0d 7f 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d da 7e 0d 00 f7 d8 64 89 01 48
kernel: RSP: 002b:00007fff11
kernel: RAX: ffffffffffffffda RBX: 000059b6f92e7b00 RCX: 00007417b2d2af0e
kernel: RDX: 000059b6f92e7f10 RSI: 000059b6f92e81b0 RDI: 000059b6f92e83f0
kernel: RBP: 00007fff1145f540 R08: 000059b6f92e8150 R09: 00007fff1145f5b0
kernel: R10: 0000000000000401 R11: 0000000000000246 R12: 000059b6f92e83f0
kernel: R13: 000059b6f92e81b0 R14: 000059b6f92e7f10 R15: 000059b6f92e7c60
kernel: </TASK>
kernel: ---[ end trace ]---
kernel: ------------[ cut here ]------------
kernel: UBSAN: shift-out-of-bounds in /build/
kernel: shift exponent 36 is too large for 32-bit type 'int'
kernel: CPU: 6 PID: 2113 Comm: mount Not tainted 6.8.0-48-generic #48-Ubuntu
kernel: Hardware name: SOYO SY-YL B550M/SY-YL B550M, BIOS 5.17 05/19/2023
kernel: Call Trace:
kernel: <TASK>
kernel: dump_stack_
kernel: dump_stack+
kernel: __ubsan_
kernel: ? srso_return_
kernel: ufs_fill_
kernel: ? sb_set_
kernel: ? __pfx_ufs_
kernel: mount_bdev+
kernel: ufs_mount+0x15/0x30 [ufs]
kernel: legacy_
kernel: vfs_get_
kernel: do_new_
kernel: path_mount+
kernel: ? putname+0x5b/0x80
kernel: __x64_sys_
kernel: x64_sys_
kernel: do_syscall_
kernel: ? srso_return_
kernel: ? srso_return_
kernel: ? syscall_
kernel: ? srso_return_
kernel: ? do_syscall_
kernel: ? srso_return_
kernel: ? do_syscall_
kernel: ? srso_return_
kernel: ? do_syscall_
kernel: ? srso_return_
kernel: ? irqentry_
kernel: ? srso_return_
kernel: ? exc_page_
kernel: entry_SYSCALL_
kernel: RIP: 0033:0x7b616d52af0e
kernel: Code: 48 8b 0d 0d 7f 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d da 7e 0d 00 f7 d8 64 89 01 48
kernel: RSP: 002b:00007ffc10
kernel: RAX: ffffffffffffffda RBX: 00005d6eb3bc9b00 RCX: 00007b616d52af0e
kernel: RDX: 00005d6eb3bc9f10 RSI: 00005d6eb3bca1b0 RDI: 00005d6eb3bca3f0
kernel: RBP: 00007ffc10c38820 R08: 00005d6eb3bca150 R09: 00007ffc10c38890
kernel: R10: 0000000000000401 R11: 0000000000000246 R12: 00005d6eb3bca3f0
kernel: R13: 00005d6eb3bca1b0 R14: 00005d6eb3bc9f10 R15: 00005d6eb3bc9c60
kernel: </TASK>
kernel: ---[ end trace ]---
cat /proc/version_
Ubuntu 6.8.0-48.48-generic 6.8.12
CVE References
- 2023-52913
- 2023-52917
- 2024-35887
- 2024-40965
- 2024-40982
- 2024-41066
- 2024-41080
- 2024-42252
- 2024-42291
- 2024-46869
- 2024-47671
- 2024-47675
- 2024-47676
- 2024-47677
- 2024-47678
- 2024-47679
- 2024-47680
- 2024-47681
- 2024-47682
- 2024-47684
- 2024-47685
- 2024-47686
- 2024-47687
- 2024-47688
- 2024-47689
- 2024-47690
- 2024-47691
- 2024-47692
- 2024-47693
- 2024-47694
- 2024-47695
- 2024-47696
- 2024-47697
- 2024-47698
- 2024-47699
- 2024-47700
- 2024-47701
- 2024-47702
- 2024-47703
- 2024-47704
- 2024-47705
- 2024-47706
- 2024-47707
- 2024-47708
- 2024-47709
- 2024-47710
- 2024-47711
- 2024-47712
- 2024-47713
- 2024-47714
- 2024-47715
- 2024-47716
- 2024-47717
- 2024-47718
- 2024-47719
- 2024-47720
- 2024-47721
- 2024-47723
- 2024-47724
- 2024-47725
- 2024-47726
- 2024-47727
- 2024-47728
- 2024-47730
- 2024-47731
- 2024-47732
- 2024-47733
- 2024-47734
- 2024-47735
- 2024-47736
- 2024-47737
- 2024-47738
- 2024-47739
- 2024-47740
- 2024-47741
- 2024-47742
- 2024-47743
- 2024-47744
- 2024-47745
- 2024-47746
- 2024-47747
- 2024-47748
- 2024-47749
- 2024-47750
- 2024-47751
- 2024-47752
- 2024-47753
- 2024-47754
- 2024-47755
- 2024-47756
- 2024-47757
- 2024-49850
- 2024-49851
- 2024-49852
- 2024-49853
- 2024-49855
- 2024-49856
- 2024-49857
- 2024-49858
- 2024-49859
- 2024-49860
- 2024-49861
- 2024-49862
- 2024-49863
- 2024-49864
- 2024-49865
- 2024-49866
- 2024-49867
- 2024-49868
- 2024-49869
- 2024-49870
- 2024-49871
- 2024-49872
- 2024-49873
- 2024-49874
- 2024-49875
- 2024-49876
- 2024-49877
- 2024-49878
- 2024-49879
- 2024-49880
- 2024-49881
- 2024-49882
- 2024-49883
- 2024-49884
- 2024-49885
- 2024-49886
- 2024-49887
- 2024-49888
- 2024-49889
- 2024-49890
- 2024-49891
- 2024-49892
- 2024-49893
- 2024-49894
- 2024-49895
- 2024-49896
- 2024-49897
- 2024-49898
- 2024-49899
- 2024-49900
- 2024-49901
- 2024-49902
- 2024-49903
- 2024-49904
- 2024-49905
- 2024-49906
- 2024-49907
- 2024-49908
- 2024-49909
- 2024-49910
- 2024-49911
- 2024-49912
- 2024-49913
- 2024-49914
- 2024-49915
- 2024-49916
- 2024-49917
- 2024-49918
- 2024-49919
- 2024-49920
- 2024-49921
- 2024-49922
- 2024-49923
- 2024-49924
- 2024-49925
- 2024-49926
- 2024-49927
- 2024-49928
- 2024-49929
- 2024-49930
- 2024-49931
- 2024-49932
- 2024-49933
- 2024-49934
- 2024-49935
- 2024-49936
- 2024-49937
- 2024-49938
- 2024-49939
- 2024-49940
- 2024-49941
- 2024-49942
- 2024-49943
- 2024-49944
- 2024-49945
- 2024-49946
- 2024-49947
- 2024-49948
- 2024-49949
- 2024-49950
- 2024-49951
- 2024-49952
- 2024-49953
- 2024-49954
- 2024-49955
- 2024-49956
- 2024-49957
- 2024-49958
- 2024-49959
- 2024-49960
- 2024-49961
- 2024-49962
- 2024-49963
- 2024-49964
- 2024-49965
- 2024-49966
- 2024-49968
- 2024-49969
- 2024-49970
- 2024-49971
- 2024-49972
- 2024-49973
- 2024-49974
- 2024-49975
- 2024-49976
- 2024-49977
- 2024-49978
- 2024-49979
- 2024-49980
- 2024-49981
- 2024-49982
- 2024-49983
- 2024-49985
- 2024-49986
- 2024-49987
- 2024-49988
- 2024-49989
- 2024-49991
- 2024-49992
- 2024-49993
- 2024-49994
- 2024-49995
- 2024-49996
- 2024-49997
- 2024-49998
- 2024-49999
- 2024-50000
- 2024-50001
- 2024-50002
- 2024-50003
- 2024-50005
- 2024-50006
- 2024-50007
- 2024-50008
- 2024-50009
- 2024-50010
- 2024-50011
- 2024-50012
- 2024-50013
- 2024-50014
- 2024-50015
- 2024-50016
- 2024-50017
- 2024-50018
- 2024-50019
- 2024-50020
- 2024-50021
- 2024-50022
- 2024-50023
- 2024-50024
- 2024-50025
- 2024-50026
- 2024-50027
- 2024-50028
- 2024-50029
- 2024-50030
- 2024-50031
- 2024-50033
- 2024-50034
- 2024-50035
- 2024-50036
- 2024-50037
- 2024-50038
- 2024-50039
- 2024-50040
- 2024-50041
- 2024-50042
- 2024-50043
- 2024-50044
- 2024-50045
- 2024-50046
- 2024-50047
- 2024-50048
- 2024-50049
- 2024-50055
- 2024-50056
- 2024-50057
- 2024-50058
- 2024-50059
- 2024-50060
- 2024-50061
- 2024-50062
- 2024-50063
- 2024-50064
- 2024-50065
- 2024-50066
- 2024-50068
- 2024-50069
- 2024-50070
- 2024-50071
- 2024-50072
- 2024-50073
- 2024-50074
- 2024-50075
- 2024-50076
- 2024-50077
- 2024-50078
- 2024-50079
- 2024-50080
- 2024-50081
- 2024-50082
- 2024-50083
- 2024-50084
- 2024-50085
- 2024-50086
- 2024-50087
- 2024-50088
- 2024-50089
- 2024-50090
- 2024-50091
- 2024-50092
- 2024-50093
- 2024-50094
- 2024-50095
- 2024-50096
- 2024-50098
- 2024-50099
- 2024-50100
- 2024-50101
- 2024-50103
- 2024-50110
- 2024-50115
- 2024-50116
- 2024-50117
- 2024-50127
- 2024-50128
- 2024-50131
- 2024-50134
- 2024-50141
- 2024-50142
- 2024-50143
- 2024-50148
- 2024-50150
- 2024-50151
- 2024-50153
- 2024-50154
- 2024-50156
- 2024-50160
- 2024-50162
- 2024-50163
- 2024-50167
- 2024-50168
- 2024-50171
- 2024-50173
- 2024-50174
- 2024-50176
- 2024-50177
- 2024-50178
- 2024-50179
- 2024-50180
- 2024-50181
- 2024-50182
- 2024-50183
- 2024-50184
- 2024-50185
- 2024-50186
- 2024-50187
- 2024-50188
- 2024-50189
- 2024-50190
- 2024-50191
- 2024-50192
- 2024-50193
- 2024-50194
- 2024-50195
- 2024-50196
- 2024-50197
- 2024-50198
- 2024-50199
- 2024-50200
- 2024-50201
- 2024-50202
- 2024-50205
- 2024-50208
- 2024-50209
- 2024-50212
- 2024-50213
- 2024-50214
- 2024-50215
- 2024-50216
- 2024-50217
- 2024-50218
- 2024-50219
- 2024-50220
- 2024-50221
- 2024-50222
- 2024-50223
- 2024-50224
- 2024-50225
- 2024-50226
- 2024-50227
- 2024-50228
- 2024-50229
- 2024-50230
- 2024-50231
- 2024-50232
- 2024-50233
- 2024-50234
- 2024-50235
- 2024-50236
- 2024-50237
- 2024-50238
- 2024-50239
- 2024-50240
- 2024-50242
- 2024-50243
- 2024-50244
- 2024-50245
- 2024-50246
- 2024-50247
- 2024-50248
- 2024-50249
- 2024-50250
- 2024-50251
- 2024-50252
- 2024-50253
- 2024-50254
- 2024-50255
- 2024-50256
- 2024-50257
- 2024-50258
- 2024-50259
- 2024-50260
- 2024-50261
- 2024-50262
- 2024-50263
- 2024-50265
- 2024-50266
- 2024-50267
- 2024-50268
- 2024-50269
- 2024-50270
- 2024-50271
- 2024-50272
- 2024-50273
- 2024-50274
- 2024-50275
- 2024-50276
- 2024-50277
- 2024-50278
- 2024-50279
- 2024-50280
- 2024-50281
- 2024-50282
- 2024-50283
- 2024-50284
- 2024-50285
- 2024-50286
- 2024-50287
- 2024-50288
- 2024-50289
- 2024-50290
- 2024-50291
- 2024-50292
- 2024-50293
- 2024-50294
- 2024-50295
- 2024-50296
- 2024-50297
- 2024-50298
- 2024-50299
- 2024-50300
- 2024-50301
- 2024-50302
- 2024-50303
- 2024-50304
- 2024-53042
- 2024-53043
- 2024-53044
- 2024-53045
- 2024-53046
- 2024-53047
- 2024-53048
- 2024-53049
- 2024-53052
- 2024-53053
- 2024-53054
- 2024-53055
- 2024-53056
- 2024-53058
- 2024-53059
- 2024-53061
- 2024-53062
- 2024-53063
- 2024-53064
- 2024-53065
- 2024-53066
- 2024-53067
- 2024-53068
- 2024-53069
- 2024-53071
- 2024-53072
- 2024-53074
- 2024-53075
- 2024-53076
- 2024-53077
- 2024-53078
- 2024-53079
- 2024-53080
- 2024-53081
- 2024-53082
- 2024-53083
- 2024-53084
- 2024-53085
- 2024-53086
- 2024-53087
- 2024-53088
- 2024-53089
- 2024-53090
- 2024-53091
- 2024-53092
- 2024-53093
- 2024-53094
- 2024-53095
- 2024-53097
- 2024-53098
- 2024-53099
- 2024-53100
- 2024-53101
- 2024-53102
- 2024-53103
- 2024-53104
- 2024-53105
- 2024-53106
- 2024-53107
- 2024-53108
- 2024-53109
- 2024-53110
- 2024-53111
- 2024-53112
- 2024-53113
- 2024-53114
- 2024-53115
- 2024-53116
- 2024-53117
- 2024-53118
- 2024-53119
- 2024-53120
- 2024-53121
- 2024-53122
- 2024-53123
- 2024-53124
- 2024-53126
- 2024-53127
- 2024-53128
- 2024-53129
- 2024-53130
- 2024-53131
- 2024-53132
- 2024-53133
- 2024-53134
- 2024-53135
- 2024-53137
- 2024-53138
- 2024-53139
- 2024-53140
- 2024-53141
- 2024-53142
- 2024-53143
- 2024-53164
- 2025-0927
| summary: |
- Kernel messages about UFS + UFS: uspi->s_3apbUBSAN: shift-out-of-bounds |
| summary: |
- UFS: uspi->s_3apbUBSAN: shift-out-of-bounds + UFS: uspi->s_3apb UBSAN: shift-out-of-bounds |
| Changed in linux (Ubuntu Oracular): | |
| status: | In Progress → Fix Committed |
| Changed in linux (Ubuntu Noble): | |
| status: | In Progress → Fix Committed |
| Changed in linux (Ubuntu Jammy): | |
| status: | In Progress → Fix Committed |
| tags: | added: kernel-daily-bug |

Hi,
Are you able to access the filesystem at all despite the warning?
Are you able to access the filesystem on another system running a different operating system?
From reading the code in fs/ufs/super.c it seems that such high value should never be reached under normal conditions for usb1->fs_bshift, ie. the fs_bshift field of the UFS superblock:
struct ufs_super_block {
...
__fs32 fs_bshift; /* ``lblkno'' calc of logical blkno */
...
};
This looks like a corrupted superblock from your filesystem.