On Fri, Dec 12, 2025 at 5:36 AM Swaraj Gaikwad <[email protected]> wrote: > > Syzkaller reported an out-of-bounds access in ocfs2_xa_remove_entry(), > triggered when removing an xattr entry. > > The root cause is that the original code decrements xh_count in-place using > le16_add_cpu() before reading the updated count value into a local variable. > However, due to the way the entry removal logic interacts with the array > bounds > checking (enforced by __counted_by(xh_count)), the stale count during > subsequent > operations leads to the out-of-bounds access during the removal process. > This patch fixes the issue by reading the current count first, computing the > decremented value locally, and then explicitly writing the updated count back > to > xh_count at the end of the function. This ensures the array bounds are > correctly > reflected throughout the entry removal without relying on in-place > modification > timing. > > The fix has been tested by reproducing the syzkaller crash report, which no > longer > triggers after applying the patch. > > Reported-by: [email protected] > Closes: https://syzkaller.appspot.com./bug?extid=cf96bc82a588a27346a8 > Signed-off-by: Swaraj Gaikwad <[email protected]>
Reviewed-by: Mark Fasheh <[email protected]>
