Re: [PATCH 2/5] ocfs2: validate inline xattr header before checking outside values
From: Joseph Qi
Date: Mon May 11 2026 - 02:30:33 EST
On 5/8/26 4:59 PM, ZhengYuan Huang wrote:
> [BUG]
> A corrupt inline xattr header can make
> ocfs2_has_inline_xattr_value_outside() walk xh_count from an unchecked
> header while refcount-tree teardown decides whether inline xattrs still
> point outside the inode body.
>
> [CAUSE]
> ocfs2_has_inline_xattr_value_outside() still computed the inline header
> directly from di->i_xattr_inline_size and immediately iterated xh_count.
> That is the same unchecked metadata boundary as the ibody lookup bug.
>
> [FIX]
> Reuse the shared inline-header helper before iterating xh_count. Because
> this helper returns a boolean-style answer to its caller, treat a corrupt
> header conservatively as "has outside values" instead of walking it.
>
> Signed-off-by: ZhengYuan Huang <gality369@xxxxxxxxx>
Looks fine.
Reviewed-by: Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx>
> ---
> fs/ocfs2/xattr.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
> index 3a5a17cdcf7e..05f6f0a886cf 100644
> --- a/fs/ocfs2/xattr.c
> +++ b/fs/ocfs2/xattr.c
> @@ -989,11 +989,12 @@ int ocfs2_has_inline_xattr_value_outside(struct inode *inode,
> struct ocfs2_dinode *di)
> {
> struct ocfs2_xattr_header *xh;
> + int ret;
> int i;
>
> - xh = (struct ocfs2_xattr_header *)
> - ((void *)di + inode->i_sb->s_blocksize -
> - le16_to_cpu(di->i_xattr_inline_size));
> + ret = ocfs2_xattr_ibody_lookup_header(inode, di, &xh);
> + if (ret)
> + return 1;
>
> for (i = 0; i < le16_to_cpu(xh->xh_count); i++)
> if (!ocfs2_xattr_is_local(&xh->xh_entries[i]))