On Fri, Dec 12, 2025 at 03:18:06PM -0800, Mark Fasheh wrote: > On Fri, Dec 12, 2025 at 5:36 AM Swaraj Gaikwad > <[email protected]> wrote: > > > > Syzkaller reported an out-of-bounds access in ocfs2_xa_remove_entry(), > > triggered when removing an xattr entry. > > > > The root cause is that the original code decrements xh_count in-place using > > le16_add_cpu() before reading the updated count value into a local variable. > > However, due to the way the entry removal logic interacts with the array > > bounds > > checking (enforced by __counted_by(xh_count)), the stale count during > > subsequent > > operations leads to the out-of-bounds access during the removal process. > > This patch fixes the issue by reading the current count first, computing the > > decremented value locally, and then explicitly writing the updated count > > back to > > xh_count at the end of the function. This ensures the array bounds are > > correctly > > reflected throughout the entry removal without relying on in-place > > modification > > timing. > > > > The fix has been tested by reproducing the syzkaller crash report, which no > > longer > > triggers after applying the patch. > > > > Reported-by: [email protected] > > Closes: https://syzkaller.appspot.com./bug?extid=cf96bc82a588a27346a8 > > Signed-off-by: Swaraj Gaikwad <[email protected]> > > Reviewed-by: Mark Fasheh <[email protected]> >
Hi Swaraj and Mark Dmitry Antipov has sent a patch to fix this issue, and the patch status has been reviewed. ref: https://lore.kernel.org/ocfs2-devel/[email protected]/T/#u Thanks, Heming
