On Thu, Jun 12, 2025 at 11:01 AM Edward Adam Davis <eadavis@xxxxxx> wrote:
>
> After successfully getting "security.SMACK64", err is not reset to 0, which
> causes simple_xattr_list() to return 17, which is much smaller than the
> actual buffer size..
>
> After updating err to remaining_size, reset err to 0 to avoid returning an
> inappropriate buffer size.
>
> Fixes: 8b0ba61df5a1 ("fs/xattr.c: fix simple_xattr_list to always include security.* xattrs")
> Reported-by: syzbot+4125590f2a9f5b3cdf43@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=4125590f2a9f5b3cdf43
> Tested-by: syzbot+4125590f2a9f5b3cdf43@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
Already fixed on vfs/vfs.fixes, see:
https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git/commit/?h=vfs.fixes&id=800d0b9b6a8b1b354637b4194cc167ad1ce2bdd3
> ---
> fs/xattr.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/fs/xattr.c b/fs/xattr.c
> index 8ec5b0204bfd..600ae97969cf 100644
> --- a/fs/xattr.c
> +++ b/fs/xattr.c
> @@ -1479,6 +1479,7 @@ ssize_t simple_xattr_list(struct inode *inode, struct simple_xattrs *xattrs,
> buffer += err;
> }
> remaining_size -= err;
> + err = 0;
>
> read_lock(&xattrs->lock);
> for (rbp = rb_first(&xattrs->rb_root); rbp; rbp = rb_next(rbp)) {
> --
> 2.43.0
>
