From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2981D17A305 for ; Fri, 10 Apr 2026 04:04:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.180 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775793844; cv=none; b=K0bkuN5SHeXYVYr90sGtwRd4W1JGBf7Dm6joUvlfeNdNFRLfjdKDLcybERYbY1PXG/H0flQ19Zm0/X4z7bFFMwG90I0zeMBxR9fGEEEw8pFU6APLFU770pDElBNLsgKFCQVigOExUfqgvG4sfj4EkKnxpcwBLvKwAEJ8PUV07RM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775793844; c=relaxed/simple; bh=8FEFgHqZ/3Vz15DR/+rmlIBFg7lMuoAa2V8SWyRQd2I=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=hEmfOLfoLzuDauvlNAXBxIistpIMlduATZkT/oYatgaRmkPXwOevLvlXlnoVypqIgo4JembXjE3vQML9/weRKwrKi+XIPsWBfdL2RbL0deKTirHP/LTha3RWzIpeWGRtMgNlB5AToqbJWBY0gHi+EPXxFYCDGciN7n0SQ6xlY58= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=SHXFNx77; arc=none smtp.client-ip=209.85.214.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="SHXFNx77" Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-2b24fcc2b5dso11588165ad.1 for ; Thu, 09 Apr 2026 21:04:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775793842; x=1776398642; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Crmw0XiLmJTudaBPwp2D4YgBmClNy6wRoSqg0r+HY08=; b=SHXFNx77XyeNJJ5gUYRfvfd8UDUre+V3B2bkyguIqNHRTJdzH6Z2iwlxvD9FGtJlCJ it63sQNRm8PvoV431PjIKfQO4cl335NLKCMJyeN3uelc+uDXuZeIZry2b0Vqg3n/GA5X J+fbpUBKW5paHkneT+pWN1bRhZxHvmgBBLnlbLSq5DK01yrNwfBUQsIMTKiPLwXIqh4l TsyVs4X4zn5RPIOHy5igQ93RvpmWn1h5qKmL94LnORIf/BlMM1sdvIK6xdiYNgPAS14H mmxvsXYRx9T1jNoTV0fdxSHsNPD1hToyWbup6qkmubU0OnoWP0DOnIXEYjfdmr5sznTI 1n9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775793842; x=1776398642; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Crmw0XiLmJTudaBPwp2D4YgBmClNy6wRoSqg0r+HY08=; b=AXckRDpNSapG6sxsDXyIoLVUVmNC36Fbpw9IoATU1YN/rNWtNxHuyEUMTdNkBT2B8O xDRPVoV1gdTXw+Y5bLwxRyN97keD5aAkQpcSxT17PBCSzI72RoQAH4nd+tumvURKlNOs ORjQJBiF2D7fW3cyMhLP+fdQjO3P5iMQRJD9p7PliI7Fq7ell//UnCnMq8mim5YA8m6q 7EUn2IsBc/ZeKUyrDAn5CvLPZQkZh2k+oZxh6K+PhyaNRUIxE4FKxjfWqdu5d9v0hKjC 2aP7sCfv14u58WvzfZJnekSZd6/JRyXgfqwJ6aV4EVdlkSbyzuTAi3nA0WtzQIJmiPLx rMUQ== X-Forwarded-Encrypted: i=1; AJvYcCUfjagGTFDH3X+t1fmyPYCUlGEZvPSmemb6Z7304Mrpq3FopPg+bmRKmMt9BlKZScJveX/MAtQNACKXFSI=@vger.kernel.org X-Gm-Message-State: AOJu0Yz6DzFE7+OD29eTPpbPi9Aq90VvAh6sZ9QFz1AoFJmeNhdtThlj rgtodk4PRibDiWdJ+yUcBXXZhq7GKtMWDtmrHoUEcBuvzZqr1LHKecMs X-Gm-Gg: AeBDieu4uGMlI5oMi16/uIv54RItCrDPLOsiiNt5PhSMcW8T70qQ5aqlBceYcAJgSM6 YnDqfu3v0YwLZIMM0c4Py7jeIc2i5ROkUMWVCt8zzWrIXeudyTKJfarBwrcj5pOYVYZS2D8yWFf LD854jBjYyLucX7AhZiR7qTDUNTKV7HkbcieE9BIGx2b5Hix6E/XJnRj6rp9dlDkVxHYhycl8W0 yE6prQgqaXWTaZlh86+zIGP+XiQzCu18KfkABvWWI2BRH86L5LYCbma1o7zACPG2nMClunw3aUl Ri3bRjTR48dE7tCDfF/7JGG5tOtMCvIeb0caX4j3fovkd1SMr63i/ZIc8wlckpvgCnsfbbwin/E dH8AhhLgYBv9WSLWKl02Ilcaam3YeOU/jCt8Zjw4EzEClamAA8QZOeNxxBVmHXVvjSTtXyelFUV lTvD/yAMjvMT+JWazG9ylh1uVzr1xoswTuwXIat0mbanDEf8E4/PREw1BiaR31/tjbC+VOiMSiK tW7Yty5 X-Received: by 2002:a17:902:b698:b0:2ab:230d:2d96 with SMTP id d9443c01a7336-2b2d5976d64mr11605535ad.11.1775793842299; Thu, 09 Apr 2026 21:04:02 -0700 (PDT) Received: from kernel-fuzz.. ([138.199.21.245]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b2d4dd610esm11803225ad.20.2026.04.09.21.03.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Apr 2026 21:04:01 -0700 (PDT) From: ZhengYuan Huang To: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com, tao.ma@oracle.com Cc: ocfs2-devel@lists.linux.dev, linux-kernel@vger.kernel.org, baijiaju1990@gmail.com, r33s3n6@gmail.com, zzzccc427@gmail.com, ZhengYuan Huang Subject: [PATCH] ocfs2: fix listxattr handling when the buffer is full Date: Fri, 10 Apr 2026 12:03:39 +0800 Message-ID: <20260410040339.3837162-1-gality369@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit [BUG] If an OCFS2 inode has both inline and block-based xattrs, listxattr() can return a size larger than the caller's buffer when the inline names consume that buffer exactly. kernel BUG at mm/usercopy.c:102! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:usercopy_abort+0xb7/0xd0 mm/usercopy.c:102 Call Trace: __check_heap_object+0xe3/0x120 mm/slub.c:8243 check_heap_object mm/usercopy.c:196 [inline] __check_object_size mm/usercopy.c:250 [inline] __check_object_size+0x5c5/0x780 mm/usercopy.c:215 check_object_size include/linux/ucopysize.h:22 [inline] check_copy_size include/linux/ucopysize.h:59 [inline] copy_to_user include/linux/uaccess.h:219 [inline] listxattr+0xb0/0x170 fs/xattr.c:926 filename_listxattr fs/xattr.c:958 [inline] path_listxattrat+0x137/0x320 fs/xattr.c:988 __do_sys_listxattr fs/xattr.c:1001 [inline] __se_sys_listxattr fs/xattr.c:998 [inline] __x64_sys_listxattr+0x7f/0xd0 fs/xattr.c:998 ... [CAUSE] Commit 936b8834366e ("ocfs2: Refactor xattr list and remove ocfs2_xattr_handler().") replaced the old per-handler list accounting with ocfs2_xattr_list_entry(), but it kept using size == 0 to detect probe mode. That assumption stops being true once ocfs2_listxattr() finishes the inline-xattr pass. If the inline names fill the caller buffer exactly, the block-xattr pass runs with a non-NULL buffer and a remaining size of zero. ocfs2_xattr_list_entry() then skips the bounds check, keeps counting block names, and returns a positive size larger than the supplied buffer. [FIX] Detect probe mode by testing whether the destination buffer pointer is NULL instead of whether the remaining size is zero. That restores the pre-refactor behavior and matches the OCFS2 getxattr helpers. Once the remaining buffer reaches zero while more names are left, the block-xattr pass now returns -ERANGE instead of reporting a size larger than the allocated list buffer. Fixes: 936b8834366e ("ocfs2: Refactor xattr list and remove ocfs2_xattr_handler().") Signed-off-by: ZhengYuan Huang --- fs/ocfs2/xattr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ -906,8 +906,8 @@ static int ocfs2_xattr_list_entry(struct super_block *sb, prefix_len = strlen(prefix); total_len = prefix_len + name_len + 1; *result += total_len; - /* we are just looking for how big our buffer needs to be */ - if (!size) + /* No buffer means we are only looking for the required size. */ + if (!buffer) return 0; if (*result > size) -- 2.49.0