From nobody Sun May 24 21:39:30 2026
Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com
 [209.85.214.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 617ED363C55
	for <linux-kernel@vger.kernel.org>; Thu, 21 May 2026 09:28:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779355724; cv=none;
 b=Mf0fp3BIxHwyN/o4k8asQj3xZVo8yPBpZ4tf4DYROH2NA+CdeXIk5l5a83nJvyAJtmQDoz7mpuPYfXM4ebLpcsSks00BmjJPX70Rh3neNs1Y+vQhk63jtkGMCbC8fXqV/t/QdM9Ok/JfMZtjqujvE7sD/UzEOy0GWZdS/eKCj04=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779355724; c=relaxed/simple;
	bh=P/TeQtejdwYI4btFjyAbHs0Du9Y7IgtWTlBWkNAXrMo=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=f7RfUv3HKpmuUjvwuT/yiFcXIaKOM4OrwcxvorTtAwlK68Uvf//IwkQA//kQ7si0SYOeA52Z8TFapdeOgxnEXmVYR9v0W6cKcW3nzZkbYY8h/iNsbRKSB2PKRpKqe6wKeCET0S9n7OlxftfOGIpBboE9YbR4kogAJMBaGrXVgec=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=Kfh/v4t7; arc=none smtp.client-ip=209.85.214.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="Kfh/v4t7"
Received: by mail-pl1-f180.google.com with SMTP id
 d9443c01a7336-2bccb978bd9so41069355ad.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 21 May 2026 02:28:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779355723; x=1779960523;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=FPOB9/LhhNolHMWfaKZ2hWCuBSSjRf0Ctgup9iENNso=;
        b=Kfh/v4t77QoKxamv0LFF9Ctg/z+Q4mZcE88w2hRQLuEFtsZV3FZk6QCRpkAimxkSBl
         aZUzsflDhuu+pumsmL4NZZ8gCVbzNjqV10QFAnguJZGat5p2M5uNB6qdEktJS8MyKgOm
         6uib9H6p4Yf6o7J7LcGc5ls3XukK24BLx6Q6pmgBzihj5NKX+rUGpK4YBCj9Znvl+3sU
         8xW5PoGqDYd2RwF1KCL8Qkh8D8CSEUysQ9gh0gBEbzw3xKxHdulA2hurtdATzNxcX5ec
         Xe4M4/mM9s5W3SPRJsSfzvWzX9jguqBABF7UM7euCrKIS8M5VSreh+8QPkE4aNOSyCIa
         xzxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779355723; x=1779960523;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=FPOB9/LhhNolHMWfaKZ2hWCuBSSjRf0Ctgup9iENNso=;
        b=pPumFa9OxjdCBQSHWMH8CgJCyMcF72Ue99ddhyok9yBA0B3tfdlZdRjDMgCAIFJnxi
         1U5WMhf+c3Ru2vhdqd32XD6BGsKauuXslzUFX36x3PD4P0CplLL3xjJid2a700vOOgch
         J6OhrgFuC76ohHk4XBU244fCxV1oaUBDmSTDAy1LCHn/x3dxh+o+o1KQHJeuAix022ik
         zwnZlNCZDZmjUKrUVyLeuZwRzf83Q262CfcOnyHp0QHY8Ze8+iR2e1HCcmBgseSs5R8D
         PH9x6xbAloDpN3gilXsDOvcJpU2D38qf9Uwwzwc4OusoMbfFxdhjlSF/HVUTi2ekUHKK
         SE8A==
X-Forwarded-Encrypted: i=1;
 AFNElJ/hqrioQadG+rRLG/pCLEQIHTqkQeBF++KYFKJcDxHoRt18QMTUarh0qmL98pfEaFiGcmtPcHRYQ5e7TAI=@vger.kernel.org
X-Gm-Message-State: AOJu0YycedYJrsKCXjSQVPjZy6ShDIjUzsmA0DAhCVdXDaSz/cmCR391
	16IxRTbiQvSEyxU4QUj8R4G1nh7PRvzvmFa0l/PS3Tir7Z3OX9Z+GPjcGpW45QAwFd8=
X-Gm-Gg: Acq92OHiPSzM4twBisArhNBd3oE/Y80p8MeWe02/5qIXi8GC8ggHCTGaYjNdiUgurJ9
	VSabMX0GKMyeIq9aYJXo59JcGsCqoeoIIPsOFz+pXURY7VCO9UuGfV1cfd0oJAZm+pGf/EevBEF
	uY+kLbyR9zMvQFbCh/MzjSAisb0oEaaADai8gKA35h1Eb/Z824OtDGEsbRb4Gh1QWIdhWOKafAd
	KV41hhZrqnIbuKtTyGWPxFlrN+rHopUwJUOuNImFfUB6LhuQmJ41zrYQ2Illn2z40J7JqpPtf2l
	5GzUziWhB+mGZ+zI554/M0syC8canqwk5M54WeZT0zafyGjhLIFE6s2MkVFnqb9seFlCHG10KlV
	P/VPAEYxW42T+zjzmjl7Q63Ev1jonShVRDP4cA4gShF/rtKFvL+5GZq6U6CebneuhhVOFKPdzU3
	evHFgY+91yqHQZjuAI78nqj5dH1nrhUM8SijQUorJLj0bMBrVcdybfFQLUKvQ=
X-Received: by 2002:a17:903:350c:b0:2b0:6068:4c5f with SMTP id
 d9443c01a7336-2bea21d2cafmr21681565ad.8.1779355722567;
        Thu, 21 May 2026 02:28:42 -0700 (PDT)
Received: from qiwenjie-ThinkCentre-M760t.mioffice.cn ([43.224.245.241])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2bea9495041sm4898095ad.35.2026.05.21.02.28.40
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 21 May 2026 02:28:42 -0700 (PDT)
From: Wenjie Qi <qwjhust@gmail.com>
X-Google-Original-From: Wenjie Qi <qiwenjie@xiaomi.com>
To: jaegeuk@kernel.org,
	chao@kernel.org
Cc: stable@kernel.org,
	linux-f2fs-devel@lists.sourceforge.net,
	linux-kernel@vger.kernel.org,
	qiwenjie@xiaomi.com,
	qwjhust@gmail.com
Subject: [PATCH v2] f2fs: fix user.fadvise xattr input validation
Date: Thu, 21 May 2026 17:28:35 +0800
Message-ID: <20260521092835.1930997-1-qiwenjie@xiaomi.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The user.fadvise xattr handlers read and write an unsigned int value,
but neither path validates the full VFS xattr input before using that
synthetic 4-byte value.

removexattr("user.fadvise") calls the xattr set callback with
value =3D=3D NULL and size =3D=3D 0, which can dereference NULL.  A normal
setxattr() call with a short value, including size =3D=3D 0, can also make
the set handler read past the provided value buffer.

The get handler has the same length issue in the other direction.  If
userspace calls getxattr("user.fadvise", buf, 1), VFS allocates a
1-byte kernel buffer and passes that size to the filesystem.  F2FS then
returns 4, causing VFS to copy 4 bytes from that 1-byte buffer back to
userspace.

Treat a NULL value as clearing the large-folio inode registration.
Reject non-NULL user.fadvise set values whose length is not exactly
sizeof(unsigned int), and reject non-NULL get buffers smaller than
sizeof(unsigned int) before using the 4-byte synthetic value.

Fixes: 39774f27deaf ("f2fs: another way to set large folio by remembering i=
node number")
Cc: stable@kernel.org
Signed-off-by: Wenjie Qi <qiwenjie@xiaomi.com>
---
Changes in v2:
- Add a comment to describe the removexattr("user.fadvise") NULL value path.
- Add Cc: stable@kernel.org.
- Validate the user.fadvise getxattr buffer length as well.

 fs/f2fs/xattr.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
index 84273936f2a0..48bd25e3d266 100644
--- a/fs/f2fs/xattr.c
+++ b/fs/f2fs/xattr.c
@@ -45,10 +45,13 @@ static void xattr_free(struct f2fs_sb_info *sbi, void *=
xattr_addr,
 		kfree(xattr_addr);
 }
=20
-static int f2fs_xattr_fadvise_get(struct inode *inode, void *buffer)
+static int f2fs_xattr_fadvise_get(struct inode *inode, void *buffer,
+				  size_t size)
 {
 	if (!buffer)
 		goto out;
+	if (size < sizeof(unsigned int))
+		return -ERANGE;
 	if (mapping_large_folio_support(inode->i_mapping))
 		*((unsigned int *)buffer) |=3D BIT(F2FS_XATTR_FADV_LARGEFOLIO);
 out:
@@ -74,16 +77,26 @@ static int f2fs_xattr_generic_get(const struct xattr_ha=
ndler *handler,
 	}
 	if (handler->flags =3D=3D F2FS_XATTR_INDEX_USER &&
 	    !strcmp(name, "fadvise"))
-		return f2fs_xattr_fadvise_get(inode, buffer);
+		return f2fs_xattr_fadvise_get(inode, buffer, size);
=20
 	return f2fs_getxattr(inode, handler->flags, name,
 			     buffer, size, NULL);
 }
=20
-static int f2fs_xattr_fadvise_set(struct inode *inode, const void *value)
+static int f2fs_xattr_fadvise_set(struct inode *inode, const void *value,
+				  size_t size)
 {
 	unsigned int new_fadvise;
=20
+	/* removexattr("user.fadvise") passes NULL to clear the hint. */
+	if (!value) {
+		f2fs_remove_ino_entry(F2FS_I_SB(inode),
+				      inode->i_ino, LARGE_FOLIO_INO);
+		return 0;
+	}
+	if (size !=3D sizeof(new_fadvise))
+		return -EINVAL;
+
 	new_fadvise =3D *(unsigned int *)value;
=20
 	if (new_fadvise & BIT(F2FS_XATTR_FADV_LARGEFOLIO))
@@ -116,7 +129,7 @@ static int f2fs_xattr_generic_set(const struct xattr_ha=
ndler *handler,
 	}
 	if (handler->flags =3D=3D F2FS_XATTR_INDEX_USER &&
 	    !strcmp(name, "fadvise"))
-		return f2fs_xattr_fadvise_set(inode, value);
+		return f2fs_xattr_fadvise_set(inode, value, size);
=20
 	return f2fs_setxattr(inode, handler->flags, name,
 					value, size, NULL, flags);

base-commit: 520760b9f9156bf9698de38dc44c614fad68a1f9
--=20
2.43.0