[lvc-project] [PATCH v2] ocfs2: adjust ocfs2_xa_remove_entry() to match UBSAN boundary checks
Joseph Qi
joseph.qi at linux.alibaba.com
Fri Dec 12 07:49:33 MSK 2025
On 2025/12/12 11:21, Heming Zhao wrote:
> On Thu, Dec 11, 2025 at 06:59:49PM +0300, Dmitry Antipov wrote:
>> After introducing 2f26f58df041 ("ocfs2: annotate flexible array members
>> with __counted_by_le()"), syzbot has reported the following issue:
>>
>> UBSAN: array-index-out-of-bounds in fs/ocfs2/xattr.c:1955:3
>> index 2 is out of range for type 'struct ocfs2_xattr_entry[]
>> __counted_by(xh_count)' (aka 'struct ocfs2_xattr_entry[]')
>> ...
>> Call Trace:
>> <TASK>
>> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
>> ubsan_epilogue+0xa/0x40 lib/ubsan.c:233
>> __ubsan_handle_out_of_bounds+0xe9/0xf0 lib/ubsan.c:455
>> ocfs2_xa_remove_entry+0x36d/0x3e0 fs/ocfs2/xattr.c:1955
>> ...
>>
>> To address this issue, 'xh_entries[]' member removal should be performed
>> before actually changing 'xh_count', thus making sure that all array
>> accesses matches the boundary checks performed by UBSAN.
>>
>> Reported-by: syzbot+cf96bc82a588a27346a8 at syzkaller.appspotmail.com
>> Closes: https://syzkaller.appspot.com/bug?extid=cf96bc82a588a27346a8
>> Signed-off-by: Dmitry Antipov <dmantipov at yandex.ru>
>
> LGTM.
> Reviewed-by: Heming Zhao <heming.zhao at suse.com>
Acked-by: Joseph Qi <joseph.qi at linux.alibaba.com>
>
>> ---
>> v2: adjust commit metadata per Heming's notices
>> ---
>> fs/ocfs2/xattr.c | 5 +++--
>> 1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
>> index dc1761e84814..de99276d12f0 100644
>> --- a/fs/ocfs2/xattr.c
>> +++ b/fs/ocfs2/xattr.c
>> @@ -1941,8 +1941,7 @@ static void ocfs2_xa_remove_entry(struct ocfs2_xa_loc *loc)
>> ocfs2_xa_wipe_namevalue(loc);
>> loc->xl_entry = NULL;
>>
>> - le16_add_cpu(&xh->xh_count, -1);
>> - count = le16_to_cpu(xh->xh_count);
>> + count = le16_to_cpu(xh->xh_count) - 1;
>>
>> /*
>> * Only zero out the entry if there are more remaining. This is
>> @@ -1957,6 +1956,8 @@ static void ocfs2_xa_remove_entry(struct ocfs2_xa_loc *loc)
>> memset(&xh->xh_entries[count], 0,
>> sizeof(struct ocfs2_xattr_entry));
>> }
>> +
>> + xh->xh_count = cpu_to_le16(count);
>> }
>>
>> /*
>> --
>> 2.52.0
>>
More information about the lvc-project
mailing list