Hi Andrea, FYI Andrea's LTP reproducer for a bug introduced in https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8b0ba61df5a1 and fixed in https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=800d0b9b6a8b > From: Andrea Cervesato <andrea.cervesato@xxxxxxxx> > Test reproducer for a bug introduced in 8b0ba61df5a1 ("fs/xattr.c: fix > simple_xattr_list to always include security.* xattrs"). > Bug can be reproduced when SELinux and ACL are activated on inodes as > following: > $ touch testfile > $ setfacl -m u:myuser:rwx testfile > $ getfattr -dm. /tmp/testfile > Segmentation fault (core dumped) > The reason why this happens is that simple_xattr_list() always includes > security.* xattrs without resetting error flag after > security_inode_listsecurity(). This results into an incorrect length of the > returned xattr name if POSIX ACL is also applied on the inode. > Signed-off-by: Andrea Cervesato <andrea.cervesato@xxxxxxxx> > --- > testcases/kernel/syscalls/listxattr/.gitignore | 1 + > testcases/kernel/syscalls/listxattr/Makefile | 2 + > testcases/kernel/syscalls/listxattr/listxattr04.c | 108 ++++++++++++++++++++++ > 3 files changed, 111 insertions(+) > diff --git a/testcases/kernel/syscalls/listxattr/.gitignore b/testcases/kernel/syscalls/listxattr/.gitignore > index be0675a6df0080d176d53d70194442bbc9ed376c..0d672b6ea5eec03aab37ee89316c56e24356c1d9 100644 > --- a/testcases/kernel/syscalls/listxattr/.gitignore > +++ b/testcases/kernel/syscalls/listxattr/.gitignore > @@ -1,3 +1,4 @@ > /listxattr01 > /listxattr02 > /listxattr03 > +/listxattr04 > diff --git a/testcases/kernel/syscalls/listxattr/Makefile b/testcases/kernel/syscalls/listxattr/Makefile > index c2f84b1590fc24a7a98f890ea7706771d944aa79..e96bb3fa4c2c6b14b8d2bc8fd4c475e4789d72fe 100644 > --- a/testcases/kernel/syscalls/listxattr/Makefile > +++ b/testcases/kernel/syscalls/listxattr/Makefile > @@ -6,4 +6,6 @@ top_srcdir ?= ../../../.. > include $(top_srcdir)/include/mk/testcases.mk > +listxattr04: LDLIBS += $(ACL_LIBS) > + > include $(top_srcdir)/include/mk/generic_leaf_target.mk > diff --git a/testcases/kernel/syscalls/listxattr/listxattr04.c b/testcases/kernel/syscalls/listxattr/listxattr04.c > new file mode 100644 > index 0000000000000000000000000000000000000000..473ed45b5c2da8ff8e49c513eeb82158ec2dc066 > --- /dev/null > +++ b/testcases/kernel/syscalls/listxattr/listxattr04.c > @@ -0,0 +1,108 @@ > +// SPDX-License-Identifier: GPL-2.0-or-later > +/* > + * Copyright (c) 2025 Andrea Cervesato <andrea.cervesato@xxxxxxxx> > + */ > + > +/*\ > + * Test reproducer for a bug introduced in 8b0ba61df5a1 ("fs/xattr.c: fix > + * simple_xattr_list to always include security.* xattrs"). > + * > + * Bug can be reproduced when SELinux and ACL are activated on inodes as > + * following: > + * > + * $ touch testfile > + * $ setfacl -m u:myuser:rwx testfile > + * $ getfattr -dm. /tmp/testfile > + * Segmentation fault (core dumped) > + * > + * The reason why this happens is that simple_xattr_list() always includes > + * security.* xattrs without resetting error flag after > + * security_inode_listsecurity(). This results into an incorrect length of the > + * returned xattr name if POSIX ACL is also applied on the inode. > + */ > + > +#include "config.h" > +#include "tst_test.h" > + > +#if defined(HAVE_SYS_XATTR_H) && defined(HAVE_LIBACL) > + > +#include <pwd.h> > +#include <sys/acl.h> > +#include <sys/xattr.h> > + > +#define ACL_PERM "u::rw-,u:root:rwx,g::r--,o::r--,m::rwx" > +#define TEST_FILE "test.bin" > + > +static acl_t acl; > + > +static void verify_xattr(const int size) > +{ > + char buf[size]; > + > + memset(buf, 0, sizeof(buf)); > + > + if (listxattr(TEST_FILE, buf, size) == -1) { > + if (errno != ERANGE) > + tst_brk(TBROK | TERRNO, "listxattr() error"); The original verifier from RH bugreport check sizes and also works if size > -1 is returned, but I guess it's not necessary, because Andrea's reproducer works as expected (fails on affected 6.16-rc1 based openSUSE kernel, works on 6.15.x). LGTM. Reviewed-by: Petr Vorel <pvorel@xxxxxxx> Tested-by: Petr Vorel <pvorel@xxxxxxx> Kind regards, Petr [1] https://bugzilla.redhat.com/show_bug.cgi?id=2369561 > + > + tst_res(TFAIL, "listxattr() failed to read attributes length: ERANGE"); > + return; > + } > + > + tst_res(TPASS, "listxattr() correctly read attributes length"); > +} > + > +static void run(void) > +{ > + int size; > + > + size = listxattr(TEST_FILE, NULL, 0); > + if (size == -1) > + tst_brk(TBROK | TERRNO, "listxattr() error"); > + > + verify_xattr(size); > +} > + > +static void setup(void) > +{ > + int res; > + > + if (!tst_selinux_enabled()) > + tst_brk(TCONF, "SELinux is not enabled"); > + > + SAFE_TOUCH(TEST_FILE, 0644, NULL); > + > + acl = acl_from_text(ACL_PERM); > + if (!acl) > + tst_brk(TBROK | TERRNO, "acl_from_text() failed"); > + > + res = acl_set_file(TEST_FILE, ACL_TYPE_ACCESS, acl); > + if (res == -1) { > + if (errno == EOPNOTSUPP) > + tst_brk(TCONF | TERRNO, "acl_set_file()"); > + > + tst_brk(TBROK | TERRNO, "acl_set_file(%s) failed", TEST_FILE); > + } > +} > + > +static void cleanup(void) > +{ > + if (acl) > + acl_free(acl); > +} > + > +static struct tst_test test = { > + .test_all = run, > + .setup = setup, > + .cleanup = cleanup, > + .needs_root = 1, > + .needs_tmpdir = 1, > + .tags = (const struct tst_tag[]) { > + {"linux-git", "800d0b9b6a8b"}, > + {} > + } > +}; > + > +#else /* HAVE_SYS_XATTR_H && HAVE_LIBACL */ > + TST_TEST_TCONF("<sys/xattr.h> or <sys/acl.h> does not exist."); > +#endif
