[PATCH] ocfs2: fix NULL pointer dereference in ocfs2_xattr_get_rec

Next message: Janne Grunau: "Re: [PATCH] soc: apple: rtkit: Add function to poweroff"
Previous message: syzbot: "[syzbot] [net?] [input?] [usb?] memory leak in ldisc_receive"
Next in thread: Heming Zhao: "Re: [PATCH] ocfs2: fix NULL pointer dereference in ocfs2_xattr_get_rec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiasheng Jiang

Date: Sat Jan 17 2026 - 12:36:00 EST

In ocfs2_xattr_get_rec, the variable 'rec' is initialized to NULL.
If the extent list 'el' is empty (l_next_free_rec == 0), the loop
iterating over the records is skipped, leaving 'rec' as NULL.

Since 'e_blkno' is initialized to 0, the function enters the error
handling block 'if (!e_blkno)'. Inside this block, the function calls
ocfs2_error() and attempts to dereference 'rec' via
'le32_to_cpu(rec->e_cpos)' and 'ocfs2_rec_clusters(el, rec)'. This
results in a NULL pointer dereference and a kernel panic.

Fix this by ensuring 'rec' is not NULL before accessing its members
within the error handling path, or by checking for an empty list
explicitly.

Signed-off-by: Jiasheng Jiang <jiashengjiangcool@xxxxxxxxx>
---
fs/ocfs2/xattr.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
index 1b21fbc16d73..b018c84dbc05 100644
--- a/fs/ocfs2/xattr.c
+++ b/fs/ocfs2/xattr.c
@@ -3757,10 +3757,16 @@ static int ocfs2_xattr_get_rec(struct inode *inode,
}

if (!e_blkno) {
- ret = ocfs2_error(inode->i_sb, "Inode %lu has bad extent record (%u, %u, 0) in xattr\n",
- inode->i_ino,
- le32_to_cpu(rec->e_cpos),
- ocfs2_rec_clusters(el, rec));
+ if (rec)
+ ret = ocfs2_error(inode->i_sb,
+ "Inode %lu has bad extent record (%u, %u, 0) in xattr\n",
+ inode->i_ino,
+ le32_to_cpu(rec->e_cpos),
+ ocfs2_rec_clusters(el, rec));
+ else
+ ret = ocfs2_error(inode->i_sb,
+ "Inode %lu has bad extent record (NULL) in xattr\n",
+ inode->i_ino);
goto out;
}

--
2.25.1