From nobody Sun May 24 23:31:10 2026
Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com
 [209.85.214.182])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 86CF63E8C61
	for <linux-kernel@vger.kernel.org>; Wed, 20 May 2026 14:19:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.182
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779286790; cv=none;
 b=ooi8BgOQzt07SndToVWThmvgHlDm41gvY4bPdStsLruisHPpyTgu3CMPUBcNpK63DCXkH6WM3KjfwxSByi4Zr9S/apGbfk6QdX/5n4C6BIIDNYR7DYAFVgjQj9pXi3OS0t+lvLugJouBy9hhAtL8Dni75HVXUxflTLBNPjYEJWQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779286790; c=relaxed/simple;
	bh=QufM6zpiutjlGIRdKcxpvt1UXTUKPGpO9x527mIiwXA=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=gCwYdhJuPny+tbbBhwrbzfvVdIbhDvuGzENq8/uK41uLvTPzNiuw/FSQXu3OelMRklPV/PdltPOPhsjlksi6VOofuIPb65da7vnKOBZQ7UlHdHRU89J/R51HJtH+/touGxQooimp6W8F2Eaj6Ip2X2loBaw5jU7V2d0jzxsgUMU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=E94jDWHB; arc=none smtp.client-ip=209.85.214.182
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="E94jDWHB"
Received: by mail-pl1-f182.google.com with SMTP id
 d9443c01a7336-2b9e9a6802aso20507205ad.3
        for <linux-kernel@vger.kernel.org>;
 Wed, 20 May 2026 07:19:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779286782; x=1779891582;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=N/optvoqfk3MFiaoqRCWHtWPUy3J4YhFqwK2eGRiasM=;
        b=E94jDWHB/7+crj31wreKjjxQaaiLgDOBQXODILJXsD8GCJGDJ/hnKLCpybKpIogEfu
         L+MoGu3IzcpO/R9kjI7G9MvEuUVA4QlItCLMbh4/eAWbBFFDj6D1Dl73wFxbr7QUuBCg
         16ys/c2yjO0NGt2ADX84NpoG23P+nyMRtCH2yyVuMSE7BXZBNTGQ8evrD9gmxsubSD+j
         NRzfT54GVqt9UhScStaenuqTn3vJ2mYr0s8XXjt3bLF1UV/B4WcMuj2i8ciP3cK45O2U
         rlNfo9c2UTqyR7URMGFbn9dvMDotnhpjWeRxz6hvLLbxnUhix3Oa58myc/cDBEud3bCf
         irYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779286782; x=1779891582;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=N/optvoqfk3MFiaoqRCWHtWPUy3J4YhFqwK2eGRiasM=;
        b=sCp7oJ0GrvJOy8PvcmH2V3BezkyK9z2pXEoerO8BcJw0lEC1Dlh7FbPIZ3xv77Ok5s
         foqcmrpSUQl5P4qe2HjXx7xmlyv4B4KZ0X3PuFrYRnqoQlTXnjH441/K2oBMJ0bHm7ha
         V/Mwx0fxHY3gZ4Nqaz5oijuLNHOKILYN/m3hoXAHldF4IIlhl2EM+F465PFwhgsypQEV
         4Pu0h/PsLzQXH6y09/ggk3eeJBHVK8QAmgUBMqPVFW0yjPkM/AVWXV6/aegXlipfZUAR
         sez2YDIay6nH0IjlEuD6BXak4qxfq0w8okySCqK0nLd+XSt61MmdmFQmOVJL00YJCo59
         usJw==
X-Forwarded-Encrypted: i=1;
 AFNElJ9YYWAR96BfXX0WktvAYYZDI2MREDLPfNfS672eJIpfJ3Gn19R1efsuCt/HHyoGnLufW2lOd7GjFXUuWZ0=@vger.kernel.org
X-Gm-Message-State: AOJu0Yx3xFv8PNUYfymdsvmbUC4O4GDsp51q6GSwIJiNN4OJukrS1A4f
	Uqws/AZyKTIZ6hhoey1IK0xMWj2oK3wcBeLRgxWwMKKRPWzAZpIttYB9CvxV0RhBpho=
X-Gm-Gg: Acq92OG4SPLg9TRQkdwRNxuSmHEK/iDsN+K0fl4CeCyMxsafvjuQtYy9l6fh6JOJa0B
	LHdxeCkWpKU16tNisP9jVkFG29AXOk9AqGGLDc8UHU9QS9auaExVRv8f3qAshXt3lkNivm+bCjO
	s/j+Y9hfsPcpytL9JIr2DGmElm8MsLxu20vNSIG/yXrKVNasMDg7CkSiOtE4q6U9f9D8MU4NMJh
	298Oy43P2SLYC9MqkIGQo9B5CH9H7evxxKatt8IZOJvk7eEDR55m2UxTZZ7v9nZyVCr7Hzip/tP
	9H+XHDnFcpltZDjiLLKil0RGCTJCwaXmSPTQldCnp5+kMErrO0OZNtmgYTYGTguBbRYsaJI0ugq
	EVjjnC3L28kqlX8xtfjny8VBAzxwmbCbHQ8Jmed+fDhLnsrHpPrmvkhOB1RSTLSgTM3FDgoWXY1
	rnNe5CHYMD7BovrGKhbmjixYoKbBGEPtx8xdtEQu5hg/VzotYoBMkmpPSK9HyGp7iopIA2lg==
X-Received: by 2002:a17:902:d591:b0:2bc:78ec:54cf with SMTP id
 d9443c01a7336-2bd7e831f01mr270433185ad.9.1779286781647;
        Wed, 20 May 2026 07:19:41 -0700 (PDT)
Received: from qiwenjie-ThinkCentre-M760t.mioffice.cn ([43.224.245.241])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2bd5c05f287sm298281985ad.24.2026.05.20.07.19.39
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 20 May 2026 07:19:41 -0700 (PDT)
From: Wenjie Qi <qwjhust@gmail.com>
X-Google-Original-From: Wenjie Qi <qiwenjie@xiaomi.com>
To: jaegeuk@kernel.org,
	chao@kernel.org
Cc: linux-f2fs-devel@lists.sourceforge.net,
	linux-kernel@vger.kernel.org,
	qiwenjie@xiaomi.com,
	qwjhust@gmail.com
Subject: [PATCH] f2fs: fix user.fadvise xattr input validation
Date: Wed, 20 May 2026 22:19:35 +0800
Message-ID: <20260520141935.1363513-1-qiwenjie@xiaomi.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The user.fadvise xattr handler reads an unsigned int directly from value,
but it is also reached by xattr removal and does not validate the supplied
value length.

removexattr("user.fadvise") calls the xattr set callback with value =3D=3D =
NULL
and size =3D=3D 0, which can dereference NULL.  A normal setxattr() call wi=
th a
short value, including size =3D=3D 0, can also make the handler read past t=
he
provided value buffer.

Treat a NULL value as clearing the large-folio inode registration.  Reject
non-NULL user.fadvise values whose length is not exactly
sizeof(unsigned int) before reading the value.

Fixes: 39774f27deaf ("f2fs: another way to set large folio by remembering i=
node number")
Signed-off-by: Wenjie Qi <qiwenjie@xiaomi.com>
---
 fs/f2fs/xattr.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
index 84273936f2a..4e11d774a2c 100644
--- a/fs/f2fs/xattr.c
+++ b/fs/f2fs/xattr.c
@@ -80,10 +80,19 @@ static int f2fs_xattr_generic_get(const struct xattr_ha=
ndler *handler,
 			     buffer, size, NULL);
 }
=20
-static int f2fs_xattr_fadvise_set(struct inode *inode, const void *value)
+static int f2fs_xattr_fadvise_set(struct inode *inode, const void *value,
+				  size_t size)
 {
 	unsigned int new_fadvise;
=20
+	if (!value) {
+		f2fs_remove_ino_entry(F2FS_I_SB(inode),
+				      inode->i_ino, LARGE_FOLIO_INO);
+		return 0;
+	}
+	if (size !=3D sizeof(new_fadvise))
+		return -EINVAL;
+
 	new_fadvise =3D *(unsigned int *)value;
=20
 	if (new_fadvise & BIT(F2FS_XATTR_FADV_LARGEFOLIO))
@@ -116,7 +125,7 @@ static int f2fs_xattr_generic_set(const struct xattr_ha=
ndler *handler,
 	}
 	if (handler->flags =3D=3D F2FS_XATTR_INDEX_USER &&
 	    !strcmp(name, "fadvise"))
-		return f2fs_xattr_fadvise_set(inode, value);
+		return f2fs_xattr_fadvise_set(inode, value, size);
=20
 	return f2fs_setxattr(inode, handler->flags, name,
 					value, size, NULL, flags);
--=20
2.43.0