From nobody Tue Apr 7 02:34:20 2026 Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com [209.85.215.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 20C453E1239 for ; Mon, 16 Mar 2026 18:42:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773686527; cv=none; b=KVuTuN8EdL3dmYo34dYg6ukS5UObSxCmNk8NYdhAggW/ZDBImIsZvBhMMoGzFt88bSrjEZMKNxZXlMWkVFA3aFNX0+fp4QX3xYOwRu0cNK5KmiCEtm2/yOYh3FpgIQ7xhYsl9hqT2CtbRIahd4sYRC4uQ1bd6Fksw8bnljMz28E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773686527; c=relaxed/simple; bh=meCDkZNdQoV9AVjvAGbFhG8GrL/vbagcWRmYa3xgdeU=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=takFBJe+XbY2PGWvLoz1wH6QyngFwqG6EPCOsrMESPGWBTGUvdw8MZVh1yi5HhcpKUuwUZgCQ3Q88jitTi3DyTZqejRlZzhksfOIsGLkLjICtKSI47oEA4Fn9bi3MhzpQyH1LaBvVJrtizsd0gA/yRt8VzdacJJQfl+mbBMGLhs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--morbo.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=DXVok95i; arc=none smtp.client-ip=209.85.215.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--morbo.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="DXVok95i" Received: by mail-pg1-f202.google.com with SMTP id 41be03b00d2f7-c738662b963so3348029a12.0 for ; Mon, 16 Mar 2026 11:42:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1773686523; x=1774291323; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=meMK1fTvkCROtMML1gkfwIQxzx+YnZ3FUZcDljZmaVM=; b=DXVok95iZ6ZikARs3ZLWq7rQEfsHupzpRUQYUMmtxRcwleNgA097eXWlnsufw9/Ng5 KudKu0bgv2AdsnGu0HIHna5UivAsTvXC82srK68+aCIrHDeG3PIjwIoMhppypLOugPI8 W2mDDxWodySOvtXkWYz0ts1E/ACG1EEfiMbxrrr3j7dyBVTrEzevraP2r4h73BWsDKdm w/ZkKq4/r7jXHOG26tnRrcW+SYGTqzo0BJoE+0gzzCwt+8jKYXDxmyS1zXe/1YQqQAsA yoQhsx7hqUiM5WuXabswblWwKoZ08AIw0tx3cq54i/6tN33xDE5N/l9QTiKMIu8ex1ts /8fQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773686523; x=1774291323; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=meMK1fTvkCROtMML1gkfwIQxzx+YnZ3FUZcDljZmaVM=; b=fUwthSeEH5CJc+vNSuiJy6bIys9/jm5sk8jmdpNW40RF+snMG9zh1qokguRDGnYyjZ dDd7+arMR7noeSiDhgNYtJnLJx096s4nDbwLRfWS/HNu83pJCPAhXvGjlGrR0cUEAjr7 lod6xTZ5sw3PVx8W2w3+fdNsExLadX9i5wdqwAedQmQ37tHim/VLEe8zP8zI9ndQFdEq /Xz4QV8wHXA4kQxrio/YWEevf42DN33zOPWltPMZfUtz2pp0EsCMYQfET7CXbiGjoVXT kqOQxPjjK2btHi4YYM4J4Ngp8EirSd8BmSmP/g4tgmN5ojCvsPqeaMXNvjH/B6Mh+Hbk +4Mg== X-Gm-Message-State: AOJu0YxLZBDWmlzVmvxlzMbCKWQK/UoEmC8/eBMFpwgQuBb0yYDzbECy hr4QjyxC4fjtOr3aeS96sTYHst8/sUzc+xrvXEMcjPWeRnWMPNbBqWF4UzuibJQLgGKdQ5Ji4cK E7yj7BanZsAFNUuGGswWWjMkk9RnYw97d8LUuMwoCUc14MxhwlfIgUlYOcFcyFn6zEu15KxymPO NwtfTvsEpNPrsr3li1OHZgCG260s30a37kmZPG4g== X-Received: from pgam8.prod.google.com ([2002:a05:6a02:2b48:b0:c66:7f77:eb66]) (user=morbo job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a20:729e:b0:398:9ae9:7110 with SMTP id adf61e73a8af0-398eca00a67mr13549140637.11.1773686522906; Mon, 16 Mar 2026 11:42:02 -0700 (PDT) Date: Mon, 16 Mar 2026 18:41:58 +0000 In-Reply-To: <20260303015646.2796170-1-morbo@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260303015646.2796170-1-morbo@google.com> X-Mailer: git-send-email 2.53.0.851.ga537e3e6e9-goog Message-ID: <20260316184200.840020-1-morbo@google.com> Subject: [PATCH v2] xfs: annotate struct xfs_attr_list_context with __counted_by_ptr From: Bill Wendling To: linux-kernel@vger.kernel.org Cc: Bill Wendling , Carlos Maiolino , "Darrick J. Wong" , Gogul Balakrishnan , Arman Hasanzadeh , Kees Cook , linux-xfs@vger.kernel.org, codemender-patching+linux@google.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add the `__counted_by_ptr` attribute to the `buffer` field of `struct xfs_attr_list_context`. This field is used to point to a buffer of size `bufsize`. The `buffer` field is assigned in: 1. `xfs_ioc_attr_list` in `fs/xfs/xfs_handle.c` 2. `xfs_xattr_list` in `fs/xfs/xfs_xattr.c` 3. `xfs_getparents` in `fs/xfs/xfs_handle.c` (implicitly initialized to NUL= L) In `xfs_ioc_attr_list`, `buffer` was assigned before `bufsize`. Reorder them to ensure `bufsize` is set before `buffer` is assigned, although no access happens between them. In `xfs_xattr_list`, `buffer` was assigned before `bufsize`. Reorder them to ensure `bufsize` is set before `buffer` is assigned. In `xfs_getparents`, `buffer` is NULL (from zero initialization) and remains NULL. `bufsize` is set to a non-zero value, but since `buffer` is NULL, no access occurs. In all cases, the pointer `buffer` is not accessed before `bufsize` is set. This patch was generated by CodeMender and reviewed by Bill Wendling. Tested by running xfstests. Signed-off-by: Bill Wendling Reviewed-by: "Darrick J. Wong" Reviewed-by: Christoph Hellwig --- Cc: Carlos Maiolino Cc: "Darrick J. Wong" Cc: Gogul Balakrishnan Cc: Arman Hasanzadeh Cc: Kees Cook Cc: linux-xfs@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: codemender-patching+linux@google.com --- v2 - Place comment in a more readable spot. --- fs/xfs/libxfs/xfs_attr.h | 3 ++- fs/xfs/xfs_handle.c | 2 +- fs/xfs/xfs_xattr.c | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/fs/xfs/libxfs/xfs_attr.h b/fs/xfs/libxfs/xfs_attr.h index 8244305949de..4b4217e23d1c 100644 --- a/fs/xfs/libxfs/xfs_attr.h +++ b/fs/xfs/libxfs/xfs_attr.h @@ -55,7 +55,8 @@ struct xfs_attr_list_context { struct xfs_trans *tp; struct xfs_inode *dp; /* inode */ struct xfs_attrlist_cursor_kern cursor; /* position in list */ - void *buffer; /* output buffer */ + /* output buffer */ + void *buffer __counted_by_ptr(bufsize); =20 /* * Abort attribute list iteration if non-zero. Can be used to pass diff --git a/fs/xfs/xfs_handle.c b/fs/xfs/xfs_handle.c index d1291ca15239..2b8617ae7ec2 100644 --- a/fs/xfs/xfs_handle.c +++ b/fs/xfs/xfs_handle.c @@ -443,8 +443,8 @@ xfs_ioc_attr_list( context.dp =3D dp; context.resynch =3D 1; context.attr_filter =3D xfs_attr_filter(flags); - context.buffer =3D buffer; context.bufsize =3D round_down(bufsize, sizeof(uint32_t)); + context.buffer =3D buffer; context.firstu =3D context.bufsize; context.put_listent =3D xfs_ioc_attr_put_listent; =20 diff --git a/fs/xfs/xfs_xattr.c b/fs/xfs/xfs_xattr.c index a735f16d9cd8..544213067d59 100644 --- a/fs/xfs/xfs_xattr.c +++ b/fs/xfs/xfs_xattr.c @@ -332,8 +332,8 @@ xfs_vn_listxattr( memset(&context, 0, sizeof(context)); context.dp =3D XFS_I(inode); context.resynch =3D 1; - context.buffer =3D size ? data : NULL; context.bufsize =3D size; + context.buffer =3D size ? data : NULL; context.firstu =3D context.bufsize; context.put_listent =3D xfs_xattr_put_listent; =20 --=20 2.53.0.851.ga537e3e6e9-goog