From nobody Thu Apr 9 14:57:52 2026 Received: from mail-pf1-f202.google.com (mail-pf1-f202.google.com [209.85.210.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B53A536C9F4 for ; Tue, 3 Mar 2026 01:56:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772503012; cv=none; b=FLuEGDTY3DaTpnzo7GsprzaPXoHicOR/sfodDvGK7MNyybejwFpZYNcB35xzVMTyIeeU/hL9M+DRRK+H0RKg+GdMLc4g5z+A11sndVaYRh5vBXtxeoWM3Ye9Z4t+OvyC8omufLnhffM861wieuaB0ILIkV5SY2dQUEoycYFPQzw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772503012; c=relaxed/simple; bh=2GuG6jseUtnwAkOn5SSNQWYiGJCNQCb6AE5DYmdmuk4=; h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Content-Type; b=NICjPlwZO/um43D/uBG0VXanfb/eCDyB44f14fVAE66XqTl/cNpvYfnwStZ2YHmG82cz13F2VrP5iAp4ycW6L6UscMmItKOCc2EbkXv1ZH8K2sOxkoNnSBiYaUpClGu6j+hpubQgX9veJfu/ODPeUzen6rZvCxKx6agIlN1A+8E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--morbo.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=qFsdQVGB; arc=none smtp.client-ip=209.85.210.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--morbo.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="qFsdQVGB" Received: by mail-pf1-f202.google.com with SMTP id d2e1a72fcca58-827185c410dso19200354b3a.3 for ; Mon, 02 Mar 2026 17:56:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1772503011; x=1773107811; darn=vger.kernel.org; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=em2es4xDU/QfB/e6n7pQiWKqRu/fZTwwH5eupFRZ/OA=; b=qFsdQVGBLqqMhQDmkVsZG+RAIJa9lCbwrZBZlVKq4ImviMVU/C7Co/CFiZq0/YPtII E1rBhlC5SYxe3vipRO7xNsBuRindttTwb1rwDqSDe2V7ufPkIw/aOyw8sPSE4RBKBRql x0k5TkZ+gEEwWOZpHx/Us8rBXBSwO8u0dw0C8wGomc0dzcGbY9/Oo1BY8/8p0Fxy2Ms+ 6p+ebbpFxdJ/Oe7QZXoC7GTe+51pxlEQ3Sf2sgD6JBIV+v58ngw8iCTc9X0gwEJMi8Xp KquQXUhvD33ZxnAqE9QYCZzaOIBfb10xUQJviJGTSJcedU7cowD1NFm1nDH0RvhVt7eT ANZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772503011; x=1773107811; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=em2es4xDU/QfB/e6n7pQiWKqRu/fZTwwH5eupFRZ/OA=; b=W3xAOZ28J96ZpL4NmUxihjdL/aB7U7GCMNiOnPJoyN1E2iomsu4zxPftNbMQX7bIVz omWiEmIZEtkbF33qSpo4SF8BjzDalMaayeosEx2c+124wFrpDztUKiggAiHNQmlEk/mI 6mw4vQKs0Uc0SDJP6XLgEmAYvF1Gw45TD5bDBn8MQYCCnX+GwCLa74Rns8J50QnXNEHv IsGuLE/297pKDtoLJzANiXm6YY+I20uT/4P3jqLCfvrzW/JgZ8aydPDHdTdWpuTlh7qr IT9W3sIhqkHfYHuvaRzkbomrrCAg9dbtGuPOOcNIGnko0pqV+ao1TXVzzyaEHl/2bikl AYxw== X-Gm-Message-State: AOJu0Yzy/w+VmfQtrVraBCZ3dmfNxGLPzlb6gBuJa4lgJ3zslBz0jbsW tNuGg0xmcFn6vg/4Kv39jFTLEvZ201Fc/XjHE1dHnMM3me43hEQpHeqUsDuLJH2TdO9ckJ6gkrJ kHeQX3bmqi75A1LCRRHmJfGkcwb6wS18crLwMhsigyunRTrvI7ZEJSU7lIwSRkp2e5T90LVp41x 0Lqas+cxvXcKwK/8lL1sns90eWRLY/7AXN24b/AA== X-Received: from pfblo22.prod.google.com ([2002:a05:6a00:3d16:b0:824:b9aa:e504]) (user=morbo job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a00:2991:b0:827:3946:a23c with SMTP id d2e1a72fcca58-8274d9849e1mr10125001b3a.10.1772503010759; Mon, 02 Mar 2026 17:56:50 -0800 (PST) Date: Tue, 3 Mar 2026 01:56:35 +0000 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 X-Mailer: git-send-email 2.53.0.473.g4a7958ca14-goog Message-ID: <20260303015646.2796170-1-morbo@google.com> Subject: [PATCH] xfs: annotate struct xfs_attr_list_context with __counted_by_ptr From: Bill Wendling To: linux-kernel@vger.kernel.org Cc: Bill Wendling , Carlos Maiolino , "Darrick J. Wong" , Gogul Balakrishnan , Arman Hasanzadeh , Kees Cook , linux-xfs@vger.kernel.org, codemender-patching+linux@google.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add the `__counted_by_ptr` attribute to the `buffer` field of `struct xfs_attr_list_context`. This field is used to point to a buffer of size `bufsize`. The `buffer` field is assigned in: 1. `xfs_ioc_attr_list` in `fs/xfs/xfs_handle.c` 2. `xfs_xattr_list` in `fs/xfs/xfs_xattr.c` 3. `xfs_getparents` in `fs/xfs/xfs_handle.c` (implicitly initialized to NUL= L) In `xfs_ioc_attr_list`, `buffer` was assigned before `bufsize`. Reorder them to ensure `bufsize` is set before `buffer` is assigned, although no access happens between them. In `xfs_xattr_list`, `buffer` was assigned before `bufsize`. Reorder them to ensure `bufsize` is set before `buffer` is assigned. In `xfs_getparents`, `buffer` is NULL (from zero initialization) and remains NULL. `bufsize` is set to a non-zero value, but since `buffer` is NULL, no access occurs. In all cases, the pointer `buffer` is not accessed before `bufsize` is set. This patch was generated by CodeMender and reviewed by Bill Wendling. Tested by running xfstests. Signed-off-by: Bill Wendling --- Cc: Carlos Maiolino Cc: "Darrick J. Wong" Cc: Gogul Balakrishnan Cc: Arman Hasanzadeh Cc: Kees Cook Cc: linux-xfs@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: codemender-patching+linux@google.com --- fs/xfs/libxfs/xfs_attr.h | 2 +- fs/xfs/xfs_handle.c | 2 +- fs/xfs/xfs_xattr.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/xfs/libxfs/xfs_attr.h b/fs/xfs/libxfs/xfs_attr.h index 8244305949de..4cd161905288 100644 --- a/fs/xfs/libxfs/xfs_attr.h +++ b/fs/xfs/libxfs/xfs_attr.h @@ -55,7 +55,7 @@ struct xfs_attr_list_context { struct xfs_trans *tp; struct xfs_inode *dp; /* inode */ struct xfs_attrlist_cursor_kern cursor; /* position in list */ - void *buffer; /* output buffer */ + void *buffer __counted_by_ptr(bufsize); /* output buffer */ =20 /* * Abort attribute list iteration if non-zero. Can be used to pass diff --git a/fs/xfs/xfs_handle.c b/fs/xfs/xfs_handle.c index d1291ca15239..2b8617ae7ec2 100644 --- a/fs/xfs/xfs_handle.c +++ b/fs/xfs/xfs_handle.c @@ -443,8 +443,8 @@ xfs_ioc_attr_list( context.dp =3D dp; context.resynch =3D 1; context.attr_filter =3D xfs_attr_filter(flags); - context.buffer =3D buffer; context.bufsize =3D round_down(bufsize, sizeof(uint32_t)); + context.buffer =3D buffer; context.firstu =3D context.bufsize; context.put_listent =3D xfs_ioc_attr_put_listent; =20 diff --git a/fs/xfs/xfs_xattr.c b/fs/xfs/xfs_xattr.c index a735f16d9cd8..544213067d59 100644 --- a/fs/xfs/xfs_xattr.c +++ b/fs/xfs/xfs_xattr.c @@ -332,8 +332,8 @@ xfs_vn_listxattr( memset(&context, 0, sizeof(context)); context.dp =3D XFS_I(inode); context.resynch =3D 1; - context.buffer =3D size ? data : NULL; context.bufsize =3D size; + context.buffer =3D size ? data : NULL; context.firstu =3D context.bufsize; context.put_listent =3D xfs_xattr_put_listent; =20 --=20 2.53.0.473.g4a7958ca14-goog