[PATCH 3/5] ocfs2: validate inline xattr header before ibody remove

Next message: ZhengYuan Huang: "[PATCH 4/5] ocfs2: validate inline xattr header before inline refcount attach"
Previous message: ZhengYuan Huang: "[PATCH 2/5] ocfs2: validate inline xattr header before checking outside values"
In reply to: Joseph Qi: "Re: [PATCH 2/5] ocfs2: validate inline xattr header before checking outside values"
Next in thread: Joseph Qi: "Re: [PATCH 3/5] ocfs2: validate inline xattr header before ibody remove"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: ZhengYuan Huang

Date: Fri May 08 2026 - 05:02:00 EST

[BUG]
A corrupt inline xattr header can make ocfs2_xattr_ibody_remove() pass an
unchecked header into ocfs2_remove_value_outside() during inode xattr
teardown.

[CAUSE]
ocfs2_xattr_ibody_remove() still rebuilt the ibody xattr header directly
from di->i_xattr_inline_size and then handed it to code that iterates
xh_count and entry geometry.

[FIX]
Validate the inline xattr header with the shared helper before handing it
to the outside-value removal path, and propagate -EFSCORRUPTED on bad
metadata instead of traversing the unchecked header.

Signed-off-by: ZhengYuan Huang <gality369@xxxxxxxxx>
---
fs/ocfs2/xattr.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
index 05f6f0a886cf..bbb25a01b097 100644
--- a/fs/ocfs2/xattr.c
+++ b/fs/ocfs2/xattr.c
@@ -2476,9 +2476,9 @@ static int ocfs2_xattr_ibody_remove(struct inode *inode,
.vb_access = ocfs2_journal_access_di,
};

- header = (struct ocfs2_xattr_header *)
- ((void *)di + inode->i_sb->s_blocksize -
- le16_to_cpu(di->i_xattr_inline_size));
+ ret = ocfs2_xattr_ibody_lookup_header(inode, di, &header);
+ if (ret)
+ return ret;

ret = ocfs2_remove_value_outside(inode, &vb, header,
ref_ci, ref_root_bh);
--
2.43.0