[lvc-project] [PATCH] ocfs2: fix __counted_by_le() usage in ocfs2_expand_inline_dx_root()

Heming Zhao heming.zhao at suse.com
Tue Oct 14 04:44:36 MSK 2025 

Hi,

I have a different view.

On 10/14/25 08:55, Joseph Qi wrote:
> 
> 
> On 2025/10/13 23:30, Dmitry Antipov wrote:
>> After annotating 'l_recs[]' VLA member of 'struct ocfs2_extent_list'
>> with '__counted_by_le(l_count)', 'l_count' should be initialized
>> before touching 'l_recs[]' with 'memset()' to avoid false positives
>> from buffer overflow guards when CONFIG_UBSAN_BOUNDS is enabled.
>>
>> Fixes: aa545adbe491 ("ocfs2: annotate flexible array members with __counted_by_le()")
>> Signed-off-by: Dmitry Antipov <dmantipov at yandex.ru>
> 
> Looks fine.
> Reviewed-by: Joseph Qi <joseph.qi at linux.alibaba.com>
> 
> Andrew, could you please help fold this into the origin patch? Thanks.
> 
>> ---
>> note: since the commit in subject is not merged to upstream yet, Fixes: reference is taken from
>> https://web.git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git/commit/?h=mm-nonmm-unstable&id=aa545adbe491
>> ---
>>   fs/ocfs2/dir.c | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c
>> index 3c2dacba9b0a..d9a2fcb63bbb 100644
>> --- a/fs/ocfs2/dir.c
>> +++ b/fs/ocfs2/dir.c
>> @@ -4133,10 +4133,10 @@ static int ocfs2_expand_inline_dx_root(struct inode *dir,
>>   	}
>>   
>>   	dx_root->dr_flags &= ~OCFS2_DX_FLAG_INLINE;
>> -	memset(&dx_root->dr_list, 0, osb->sb->s_blocksize -
>> -	       offsetof(struct ocfs2_dx_root_block, dr_list));
>>   	dx_root->dr_list.l_count =
>>   		cpu_to_le16(ocfs2_extent_recs_per_dx_root(osb->sb));

If the memset cleans dx_root->dr_list->l_recs[], or "osb->sb->s_blocksize -
(offsetof(struct ocfs2_dx_root_block, dr_list) + offsetof(struct ocfs2_extent_list, l_recs))" this patch is correct.

But the subsequent memset() call cleans all the members of dr_list.
Therefore, dr_list.l_count is reset to ZERO and the data is corrupted.

- Heming>> +	memset(&dx_root->dr_list, 0, osb->sb->s_blocksize -
>> +	       offsetof(struct ocfs2_dx_root_block, dr_list));
>>   
>>   	/* This should never fail considering we start with an empty
>>   	 * dx_root. */
>

More information about the lvc-project mailing list