[PATCH 2/5] ocfs2: validate inline xattr header before checking outside values

Next message: ZhengYuan Huang: "[PATCH 3/5] ocfs2: validate inline xattr header before ibody remove"
Previous message: ZhengYuan Huang: "[PATCH 0/5] ocfs2: validate inline xattr header consumers"
In reply to: Joseph Qi: "Re: [PATCH 5/5] ocfs2: validate inline xattr header before reflinking inline xattrs"
Next in thread: Joseph Qi: "Re: [PATCH 2/5] ocfs2: validate inline xattr header before checking outside values"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: ZhengYuan Huang

Date: Fri May 08 2026 - 05:01:35 EST

[BUG]
A corrupt inline xattr header can make
ocfs2_has_inline_xattr_value_outside() walk xh_count from an unchecked
header while refcount-tree teardown decides whether inline xattrs still
point outside the inode body.

[CAUSE]
ocfs2_has_inline_xattr_value_outside() still computed the inline header
directly from di->i_xattr_inline_size and immediately iterated xh_count.
That is the same unchecked metadata boundary as the ibody lookup bug.

[FIX]
Reuse the shared inline-header helper before iterating xh_count. Because
this helper returns a boolean-style answer to its caller, treat a corrupt
header conservatively as "has outside values" instead of walking it.

Signed-off-by: ZhengYuan Huang <gality369@xxxxxxxxx>
---
fs/ocfs2/xattr.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
index 3a5a17cdcf7e..05f6f0a886cf 100644
--- a/fs/ocfs2/xattr.c
+++ b/fs/ocfs2/xattr.c
@@ -989,11 +989,12 @@ int ocfs2_has_inline_xattr_value_outside(struct inode *inode,
struct ocfs2_dinode *di)
{
struct ocfs2_xattr_header *xh;
+ int ret;
int i;

- xh = (struct ocfs2_xattr_header *)
- ((void *)di + inode->i_sb->s_blocksize -
- le16_to_cpu(di->i_xattr_inline_size));
+ ret = ocfs2_xattr_ibody_lookup_header(inode, di, &xh);
+ if (ret)
+ return 1;

for (i = 0; i < le16_to_cpu(xh->xh_count); i++)
if (!ocfs2_xattr_is_local(&xh->xh_entries[i]))
--
2.43.0