Re: [PATCH 3/5] ocfs2: validate inline xattr header before ibody remove

Next message: Greg Kroah-Hartman: "Linux 6.18.29"
Previous message: Adrian Ng Ho Yin: "[PATCH] firmware: stratix10-svc: remove RSU command exclusion from no-support callback"
In reply to: ZhengYuan Huang: "[PATCH 3/5] ocfs2: validate inline xattr header before ibody remove"
Next in thread: ZhengYuan Huang: "[PATCH 4/5] ocfs2: validate inline xattr header before inline refcount attach"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Joseph Qi

Date: Mon May 11 2026 - 02:32:50 EST

On 5/8/26 4:59 PM, ZhengYuan Huang wrote:
> [BUG]
> A corrupt inline xattr header can make ocfs2_xattr_ibody_remove() pass an
> unchecked header into ocfs2_remove_value_outside() during inode xattr
> teardown.
>
> [CAUSE]
> ocfs2_xattr_ibody_remove() still rebuilt the ibody xattr header directly
> from di->i_xattr_inline_size and then handed it to code that iterates
> xh_count and entry geometry.
>
> [FIX]
> Validate the inline xattr header with the shared helper before handing it
> to the outside-value removal path, and propagate -EFSCORRUPTED on bad
> metadata instead of traversing the unchecked header.
>
> Signed-off-by: ZhengYuan Huang <gality369@xxxxxxxxx>

Looks fine.
Reviewed-by: Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx>
> ---
> fs/ocfs2/xattr.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
> index 05f6f0a886cf..bbb25a01b097 100644
> --- a/fs/ocfs2/xattr.c
> +++ b/fs/ocfs2/xattr.c
> @@ -2476,9 +2476,9 @@ static int ocfs2_xattr_ibody_remove(struct inode *inode,
> .vb_access = ocfs2_journal_access_di,
> };
>
> - header = (struct ocfs2_xattr_header *)
> - ((void *)di + inode->i_sb->s_blocksize -
> - le16_to_cpu(di->i_xattr_inline_size));
> + ret = ocfs2_xattr_ibody_lookup_header(inode, di, &header);
> + if (ret)
> + return ret;
>
> ret = ocfs2_remove_value_outside(inode, &vb, header,
> ref_ci, ref_root_bh);