From nobody Sun Feb  8 04:33:48 2026
Received: from mail-oa1-f51.google.com (mail-oa1-f51.google.com
 [209.85.160.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 263DB13AF2
	for <linux-kernel@vger.kernel.org>; Sat, 17 Jan 2026 17:36:00 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.160.51
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1768671362; cv=none;
 b=P3Jz3Rxpt+Y6jZ0L9jlVk6UlHuXMN2Sr1S6z0LAjj1ORwTNu9m8vPXcigkMwxX812nVClJ1NsoQq9gXCmoCPS0IROjJLert24q34v+n6kpqNGgjkBEajjQLyt9qQe7ztRNMatT2cmCWWfWCDs/+4V3JneV2CcNwNHjrcpLy9XGk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1768671362; c=relaxed/simple;
	bh=d/Xd8lbIJpxHEMR70GtdDaBnejP2zuAYSUDriC4pb9o=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=gRtSP78AnQO99IMXboBZMNdsLta3Sl32n55deHOk3KpDTVDloVts5yiQsReT/8KeuIzHWxMx9BnQCdyU3FBhdWC0JVjCqTZ9aYXfJ3jtJ6uoxo0bztb8Gs5xS4UlNE9MDTAQ59UUDcyrejyXvZPl2DR6s2ZdxiskO2mMtO3fMlQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=RKicax2F; arc=none smtp.client-ip=209.85.160.51
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="RKicax2F"
Received: by mail-oa1-f51.google.com with SMTP id
 586e51a60fabf-40423f8c5faso2100256fac.0
        for <linux-kernel@vger.kernel.org>;
 Sat, 17 Jan 2026 09:36:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1768671360; x=1769276160;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=8aJZk2D2mGu5fro1JihtBVNptIdoq1xXV928GNF5024=;
        b=RKicax2Fan1n9Mw47sYlCep4I0cA/ELEVBlFDa5CLA2j/TarRlH6u0NmXkZkvHoKAQ
         xrns4U3cJcTk4nbeAkT6q6nP2WZx6Prjo4akdgN8Cn0pBQcac9tKzI9Yigx/hqQAv9qh
         fTQrxfexBL0/TIgpW/zgiRorPyu5l3wNlyjs4cePukjJG8rPzx1gQItcCFAqzxjEPpgC
         rMVIBMDYirJ5MiMfj/ISMO0JTf3nqYl5asteFDhsGjc4W2q6xOPZTXQu07BrgUL8UxfO
         qyEfn4G8AdnMDxd6B+p37TquNhhyTsLlOgOVyCdP9GRDpy9I1cvBCeZtf7f/A8h4oTLO
         aTBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768671360; x=1769276160;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=8aJZk2D2mGu5fro1JihtBVNptIdoq1xXV928GNF5024=;
        b=W6dT06OkY/GUFxsEbauVTtmJkvJxsCH2Ag+/RVxKaPYuC2kfu1c6D51iVg5rbwEt+L
         TLUjgabEyG/LRwMgVZc00vFaqpQrzHmroyv/o++e0DAO7R7uvZbtXRSw1bPZ4X5Oc5VX
         x+JfcVykKcREAICuvcDLJPpIGyRF3tucUKBzThIeOzsAsgnt0w+hMHoL92ptpbW+ghNV
         Q51fSi2zhcMa20pUNXLweDarBI/RaCF/LxJASa4+wGICbKLGjfpMz9LOCGa9ABiehYkR
         NQuXKVdOa1f2vC3km/6Z/IdlB8G1JkpCD5Z3W4z3vDe1hY7LcwXzB6oyRzVod+hqcf5g
         ReHg==
X-Forwarded-Encrypted: i=1;
 AJvYcCXv6GhG4oMj0t+Wqsu08cpRHZbSgW4oThy6D2MoPuCv9D3YMV0o8N0eKAkbeAVRUaXVRmvaRQUH5O/23Nk=@vger.kernel.org
X-Gm-Message-State: AOJu0Yzxm5oRMozgkoCYL5HNni2MB9UQ8U+fcJ+MZOVZivmjvhESbv3O
	FgVyukoPlosvP0ZMMZihn0fzXhOEpD0ei+TPuMgrV09nm7W+A3oOqHIl
X-Gm-Gg: AY/fxX645SSa08NuqrWe/i0Bl3SgFkOg4d8AsVh6CSFdLjTHUHQHMjOjxB0dqBrw+B6
	VTUYld/ULCgc0h7QPYaCr+sNmgPlIxH+ZBG4ZN8bXi+O6c/HuJRit/Gl6oBuIjVuQYvpGPRicFL
	Jiyq6Bm1WC7qj3P5DjR6tS6QRaiifS5l2PjYnjn4kFz1KoyyNUyk3DL/tmLNTsjFQ7761QhWZ0w
	nPNMXQttb2ayi4/AOVda2131LfujLEq0n0kHKNRzUDueAEjaRgHSNzcbpSY9nxEQvF9bi17Kq1d
	I7/wUOYQUdBBH5peVJIfjvtIbAE8jhC8zgggu1wxTIaSCpTebxqLOTTY8ehkGQoLrF6g9M8HRXv
	CbSErZGI1gbW+w7LunqBZc+3D7LYfP1sFCmW71Qg+wuCGTHEsUSPc40p80+PuITQsSg1kF8HTtv
	Ia5uCXp+jbqJg2qHMyTpn6YJADxkdcJowY
X-Received: by 2002:a05:6870:4785:b0:404:3569:59ef with SMTP id
 586e51a60fabf-4044c4460ecmr3261476fac.36.1768671359836;
        Sat, 17 Jan 2026 09:35:59 -0800 (PST)
Received: from newman.cs.purdue.edu ([128.10.127.250])
        by smtp.gmail.com with ESMTPSA id
 586e51a60fabf-4044b5c11e4sm3863140fac.0.2026.01.17.09.35.58
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 17 Jan 2026 09:35:59 -0800 (PST)
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
To: Mark Fasheh <mark@fasheh.com>,
	Joel Becker <jlbec@evilplan.org>,
	Joseph Qi <joseph.qi@linux.alibaba.com>,
	linux-kernel@vger.kernel.org
Cc: ocfs2-devel@lists.linux.dev,
	Jiasheng Jiang <jiashengjiangcool@gmail.com>
Subject: [PATCH] ocfs2: fix NULL pointer dereference in ocfs2_xattr_get_rec
Date: Sat, 17 Jan 2026 17:35:56 +0000
Message-Id: <20260117173556.36601-1-jiashengjiangcool@gmail.com>
X-Mailer: git-send-email 2.25.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In ocfs2_xattr_get_rec, the variable 'rec' is initialized to NULL.
If the extent list 'el' is empty (l_next_free_rec =3D=3D 0), the loop
iterating over the records is skipped, leaving 'rec' as NULL.

Since 'e_blkno' is initialized to 0, the function enters the error
handling block 'if (!e_blkno)'. Inside this block, the function calls
ocfs2_error() and attempts to dereference 'rec' via
'le32_to_cpu(rec->e_cpos)' and 'ocfs2_rec_clusters(el, rec)'. This
results in a NULL pointer dereference and a kernel panic.

Fix this by ensuring 'rec' is not NULL before accessing its members
within the error handling path, or by checking for an empty list
explicitly.

Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
---
 fs/ocfs2/xattr.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
index 1b21fbc16d73..b018c84dbc05 100644
--- a/fs/ocfs2/xattr.c
+++ b/fs/ocfs2/xattr.c
@@ -3757,10 +3757,16 @@ static int ocfs2_xattr_get_rec(struct inode *inode,
 	}
=20
 	if (!e_blkno) {
-		ret =3D ocfs2_error(inode->i_sb, "Inode %lu has bad extent record (%u, %=
u, 0) in xattr\n",
-				  inode->i_ino,
-				  le32_to_cpu(rec->e_cpos),
-				  ocfs2_rec_clusters(el, rec));
+		if (rec)
+			ret =3D ocfs2_error(inode->i_sb,
+					  "Inode %lu has bad extent record (%u, %u, 0) in xattr\n",
+					  inode->i_ino,
+					  le32_to_cpu(rec->e_cpos),
+					  ocfs2_rec_clusters(el, rec));
+		else
+			ret =3D ocfs2_error(inode->i_sb,
+					  "Inode %lu has bad extent record (NULL) in xattr\n",
+					  inode->i_ino);
 		goto out;
 	}
=20
--=20
2.25.1