[PATCH v4 0/2] ocfs2: validate xattr metadata bounds

From: Cen Zhang

Date: Mon Jun 22 2026 - 09:03:46 EST


Hi,

This v4 rebases the series on current torvalds/master and reworks the
inline xattr part on top of the newly merged
ocfs2_xattr_ibody_lookup_header() helper.

Patch 1 extends the shared ibody helper with xattr entry name/value
bounds checks and calls it from ocfs2_validate_inode_block().

Patch 2 validates non-indexed external xattr blocks from
ocfs2_validate_xattr_block(). Indexed xattr buckets do not pass through
that validator, so their header and per-entry bounds are checked after
bucket ECC verification in ocfs2_read_xattr_bucket().

Both issues were reproduced with crafted OCFS2 images under KASAN.

Changes since v3:
- Rebase on current torvalds/master.
- Build on the newly merged ocfs2_xattr_ibody_lookup_header() helper
instead of adding a duplicate inline-header helper.
- Keep indexed bucket xh_entries[] bounded by the first bucket block,
while checking name/value offsets against the addressed bucket block.

Cen Zhang (2):
ocfs2: validate inline xattrs during inode block validation
ocfs2: validate external xattr entries when reading metadata

fs/ocfs2/inode.c | 4 +
fs/ocfs2/xattr.c | 192 +++++++++++++++++++++++++++++++++++++++++------
fs/ocfs2/xattr.h | 2 +
3 files changed, 177 insertions(+), 21 deletions(-)

--
2.43.0