From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E1BA731BCAE for ; Fri, 8 May 2026 08:59:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.169 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778230778; cv=none; b=PIxFMlCNl4gadx0QTuK6qN9gRWXv4UUQeAk2WKWzC7mbzryzQav6NUm18BC37HwV85k7OUt2fKeykqK1OG+/tw+TEveoObbmioAxv6dqCwax6eAUXBa0y+3kUY5eCy4K983qXVX80MToL3NztPRXImS4Vw0E8tc+AINQsnLYyM4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778230778; c=relaxed/simple; bh=oJAvOQwQbiAbBbPxK+tynQ3nmHdW3M18HMEd5mQxQvM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=o+lBL95fgkVR3MuKEoAu/QIgjKj6+Lmc9HmXC93NMk2s1y2wQMEzHEl1AZqLnLe8LQtLDdV1rGozoDwHHQzUrOwBZFHfx7RaXdHspKP0PX/tgzi/bVbpLGG+zQOZAqPRJGqTD1qNpgifrtWhZJV3Wd6BxjMyhy4aeNjBsnQSdNg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=VAihHGAr; arc=none smtp.client-ip=209.85.214.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="VAihHGAr" Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-2baef9f5ecdso3561655ad.1 for ; Fri, 08 May 2026 01:59:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778230776; x=1778835576; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=03vFn+TVSNF7XIyaC4L1Hb3ARxQRDo0HyqIjZK6JIfg=; b=VAihHGAr88+S8qMPSppv8A4qBY9lk2BAoYKlYflDoDTCHJb3wyQZgu2wTtMotPvE3J Xa9ZeN0NdT8X85aJ2Vm9gnPmvIdrWMF5NhZlosTRseodlKHrbpLsowh21KZKQir7OK+1 eAwgU2JsjpmDOSxWnL3PpIbmbi+s7zuVLtgKTVFz1Ex/QgHv/tfOxADyP7fuZk6Iw/Np OTxd5OmihtmTZh87uQCYYUhj9wCfXTIZ6iO6E36JLRSbJmYqWxKktJqCIapbAQGJyRSC TenQ6E85oOxL65whIObxbZYzcU2HWFai/5CGpmYa0+Pb+MzvrLJOSQxDhmDBgKuQI9wO zXHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778230776; x=1778835576; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=03vFn+TVSNF7XIyaC4L1Hb3ARxQRDo0HyqIjZK6JIfg=; b=HB2rn42RFZsmDxb1flODIbM3fEsTvpSk7qZK4nWXJIna0stqq2/b4qJOvwAKLYyAZP 3qq7bEa00eyl8fR6+3lgBV6cgz8hSffhHNxsofpr5yd5i0BCJzNg4hW1Vmg1l5de/roA dVfB/nEN1/DP/XsvcS4HxOxiJyxoz0jZPQstQb1aauBn5gKGwZNYqKIMB6ytINoWDy7V YL+xQ1FH7n5PdEwiuKPAu6zNdL21HXbSN9TJW4HACvW+/vcQKqivCb3c8PH6FtFgw5Cy l0fVsqLA58KGnOOU2vaU2p/NerONwN9M9likAY3HMGF4C83yMm4pZVZxYSPLGFEwUB2V oQWQ== X-Forwarded-Encrypted: i=1; AFNElJ/PndlTTAyRMhWtuRlL2zKfSx2ybQ6N9kDIlBq3qbtq8JFlAlQEBjLkc55t6njfKwq5QmLI+lTz2lzJXUQ=@vger.kernel.org X-Gm-Message-State: AOJu0Yyr2SFOddtMPnutjURnI425FIeuAbJyEUlp9gOTMrMXVD6yWSxh THRq1Pz/bCLQXPnD1mPi6+vPGh4mZE8TQeYf4/bIlshM3pHPm0hMrD9p X-Gm-Gg: Acq92OFkZ2c9/xL5QEH/NOO5LnMLKhBDMO1mJonxAKv3by2hHHHRBFjiG9QRTZ1bWyE ixTCqWIl8qnVPxALJKH3aEQ3prerPCepAW9C/vXfKbiRijvw7Sx0b76js21SXAeSHKTDoa/Ok23 zXc2qfhdGXl1csDfiZlAKA4YXLNg85sAnFoRV8r7WjVAe8tl7Xfg3ffLL+XNvsqNBzAy6qPtm5c FKP2uFJvJ6/hhDM+cWBW7wJ6BTZVxbb4OUy9Xpp8cc/iy57FKYCcwH4pTme8C89g43HqRQRUg+B 28q1+SWIN2zotsoBMOQt86U+YvL20/kfrf3MSiCM5cMLPLCNqj+xrXjizSKfuoRdaZzpX/oDumH ZZqLrb81XF79yrNbCtLx0E4muImONKZdcGfDEkGVtJs7w/jLQ/IFtunaF9u3yGZ9IBhpIaRHUk/ 8DarL6DZk7sdFayClWzJaUH0qFw0dcP0Rv4BkeGfhRZYTlw5HjjmD20tiGdPtY776B3ODcC383U fb9t1F3zVZhcI7ZssrviyUePMwx6aUQF7G6 X-Received: by 2002:a17:903:3850:b0:2ba:b738:bc2 with SMTP id d9443c01a7336-2bab7381ebdmr79463375ad.27.1778230776076; Fri, 08 May 2026 01:59:36 -0700 (PDT) Received: from localhost.localdomain ([111.202.175.43]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2baf1d2709bsm15526795ad.5.2026.05.08.01.59.29 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Fri, 08 May 2026 01:59:35 -0700 (PDT) From: ZhengYuan Huang To: mark@fasheh.com, jlbec@evilplan.org, joseph.qi@linux.alibaba.com Cc: ocfs2-devel@lists.linux.dev, linux-kernel@vger.kernel.org, baijiaju1990@gmail.com, r33s3n6@gmail.com, zzzccc427@gmail.com, ZhengYuan Huang Subject: [PATCH 0/5] ocfs2: validate inline xattr header consumers Date: Fri, 8 May 2026 16:59:09 +0800 Message-ID: <20260508085914.61647-1-gality369@gmail.com> X-Mailer: git-send-email 2.50.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Corrupt i_xattr_inline_size can move the computed inode-body xattr header outside the dinode block. Several OCFS2 paths then trust xh_count or xattr entry geometry from that unchecked header. The reported KASAN splat hits the ibody lookup path: BUG: KASAN: use-after-free in ocfs2_xattr_find_entry+0x37b/0x3a0 ocfs2_xattr_ibody_get() ocfs2_xattr_get_nolock() ocfs2_calc_xattr_init() The same unchecked header derivation also exists in the outside-value probe, ibody remove, inline refcount attach, and inline reflink paths. This series factors the existing ibody list validation into a shared helper and then converts the remaining inline-header consumers one at a time. Patch layout: 1. validate ibody get/find and reuse the helper in ibody list 2. validate the outside-value probe 3. validate ibody remove 4. validate inline refcount attach 5. validate inline reflink ZhengYuan Huang (5): ocfs2: validate inline xattr header before ibody lookups ocfs2: validate inline xattr header before checking outside values ocfs2: validate inline xattr header before ibody remove ocfs2: validate inline xattr header before inline refcount attach ocfs2: validate inline xattr header before reflinking inline xattrs fs/ocfs2/xattr.c | 123 ++++++++++++++++++++++++++++------------------- 1 file changed, 73 insertions(+), 50 deletions(-) -- 2.43.0