From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3BBDB2571C7
	for <linux-kernel@vger.kernel.org>; Fri,  8 May 2026 08:59:57 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.46
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778230798; cv=none; b=jbMcQIqVToFuFy3rjOTvfBuVQho/e/RKrXgFefX7CZyGRpyop/blMRjegQ07mACl2iz3b7kTJm8X3S7+4ligTbUu6nq8FvEoG5f4iS0azT8vby0wSSmJHrJctz7bCa4f5R4aIFJ8YzXeq80AlHny2Kf5g4LcFyAdp60jkVp6y2w=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778230798; c=relaxed/simple;
	bh=hbI4rz8zLPtORw9Xhzfq5UmS+KdGwinToZ5pmJNgdLY=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=nzmuhgaye+MGpbgdvVvso6F2qFp0PupdMeulrqtrDI6lwZX1PP740Vv52T/yxZrPtbUpqYO5VzBVLPJftTUAAse7ljg1Mb6nCcbKhEBcYlW18utKiVj9ehS31oviCmVBpci7dEtKA5xj3aRiTrDODgx+1ItsnRH+dX06YdfR3zE=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=cviDay56; arc=none smtp.client-ip=209.85.216.46
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="cviDay56"
Received: by mail-pj1-f46.google.com with SMTP id 98e67ed59e1d1-365eecc5885so1647149a91.0
        for <linux-kernel@vger.kernel.org>; Fri, 08 May 2026 01:59:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1778230796; x=1778835596; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=z7VsT9AqjcyF6s6LYKeTQGzKfn0YABtziNfSDMtnBzw=;
        b=cviDay56b0d4Euh73HA0SGsJfe6BuLwhMNE9AXuWdQW91KPKNoQmqqqbQqrhYW0XQk
         7+S4qo6B01pizaZ0k3OETjhrGVRgTsAMzTljfsKew9Cb9BUFyGIHxYpp/zTUa9aEKXds
         iFLraLG38gfN+sRZCONj6+/dQ5ylLvN31uBuhtT1JyYh9S/J/WR6bS9xlSEWHKte1j0c
         HarbP4jLNY9i8B3XcI/RcuyEymIETpOkF5M8AQSRNzTuMa8egB+i6FMIEvFKWm4tBGSd
         42KhL7XI+wEp5sPc7Hu8wyOuXXMVo+3G0ij0g/4zLCfwqsaD8Epn8k9oEeQ6M7+rHyZf
         OIJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778230796; x=1778835596;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=z7VsT9AqjcyF6s6LYKeTQGzKfn0YABtziNfSDMtnBzw=;
        b=SSo2CtVKNCpxN8Twj+PJ1niJr4aE8bHXHLiQ4h+5+VSeEcEBSLrJYkLCGfM8HYZ7z3
         jVGm7mFqupYM64fIJ6D0M/nMIh8HAX4+fHN5CrmxAv57ufzOtswYy7qYrNWTaxstrJFG
         RHf6IFqADM5qb+RB0du3seHNRfRuaZ+kxU9nSfYmXmQvqwUAgT+jFS+q+dyVoDh9S7dY
         3s7ugXFYWGEBMxjMTcXJl/1J0GKW9ezPCm7HWDMUaAkKJrwTEl6RF6FGdWuQSyabkzHh
         6IAnoEs3sm4aPq2VY9FIkaa3hlZy7qx7RCg7O1xKrlyMhSB63tFJEe3BekSwKx+rQUfQ
         o/Uw==
X-Forwarded-Encrypted: i=1; AFNElJ//knNgCxGBoXGy/VOaLi6/hLV+4bfxAvklJjj6PqpyTEO+bNIQOfIUYy003xPl7/HQoqnrfFpiKWmabvM=@vger.kernel.org
X-Gm-Message-State: AOJu0YzqsWZpACGtf349uLYS27xrICrtYWnIiVhVF8MZbe+kqpFaGE0P
	TVtQtcgyyi2TohRRD1Vuv1XjvsW6kVSH8RB6sQ0XnGYrFNd7EsRCDThbV7i1rkC00/s=
X-Gm-Gg: Acq92OG0O6Jm/vulqSPkqlRr/zSLmfuT7AQ0hgNDD6KnzQBl40rZ1BHE+i95UAf5M4J
	IGBSoEdYNiQQpQH/qROQC07DFVhFw21ob93YkBPUscRq6PC4UCgKUWRwFlL3G1njzd+HvHurdWY
	PUgFa4luna2oXdajKgZ6DuAXakb7uRCVQvIIypf7UyO4oHXX8NAQiVJF6S6g0orY0eNABlXise6
	XFu6klmcCKf/MP3AkAG09FgvCXeKYwDpyr536PZCEDQ9L7IeWqRAJhhv79hEbzwb9mO6CRPetVU
	JTDv94IqHkH/6AwIlM6SsEESLG4QBk1hlZqWcXNOWo9D+NtWGE2NWn7jk1R9L3BYZ+x83etvWcU
	RDz6Q4M7oMPi/p1EvG1gl3L6cchjBv9v88GeUzkhwfvCN9rsUIpOpDO3Gz2tVx46gw1/74q/6/P
	0FxK40eQ5bUTtVN/HvS5E/H/psazxz8+igrhDESP4lAJA2mKwqU7C0FMxD//s6xeZ5CnE1PFuir
	77Ksm23Spzb64+H0XLK+a3kJZG7YzseZxhz
X-Received: by 2002:a17:90b:4d11:b0:366:5c38:fd61 with SMTP id 98e67ed59e1d1-3665c390b32mr637639a91.12.1778230796370;
        Fri, 08 May 2026 01:59:56 -0700 (PDT)
Received: from localhost.localdomain ([111.202.175.43])
        by smtp.gmail.com with ESMTPSA id d9443c01a7336-2baf1d2709bsm15526795ad.5.2026.05.08.01.59.50
        (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
        Fri, 08 May 2026 01:59:55 -0700 (PDT)
From: ZhengYuan Huang <gality369@gmail.com>
To: mark@fasheh.com,
	jlbec@evilplan.org,
	joseph.qi@linux.alibaba.com
Cc: ocfs2-devel@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	baijiaju1990@gmail.com,
	r33s3n6@gmail.com,
	zzzccc427@gmail.com,
	ZhengYuan Huang <gality369@gmail.com>
Subject: [PATCH 3/5] ocfs2: validate inline xattr header before ibody remove
Date: Fri,  8 May 2026 16:59:12 +0800
Message-ID: <20260508085914.61647-4-gality369@gmail.com>
X-Mailer: git-send-email 2.50.1
In-Reply-To: <20260508085914.61647-1-gality369@gmail.com>
References: <20260508085914.61647-1-gality369@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

[BUG]
A corrupt inline xattr header can make ocfs2_xattr_ibody_remove() pass an
unchecked header into ocfs2_remove_value_outside() during inode xattr
teardown.

[CAUSE]
ocfs2_xattr_ibody_remove() still rebuilt the ibody xattr header directly
from di->i_xattr_inline_size and then handed it to code that iterates
xh_count and entry geometry.

[FIX]
Validate the inline xattr header with the shared helper before handing it
to the outside-value removal path, and propagate -EFSCORRUPTED on bad
metadata instead of traversing the unchecked header.

Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
---
 fs/ocfs2/xattr.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
index 05f6f0a886cf..bbb25a01b097 100644
--- a/fs/ocfs2/xattr.c
+++ b/fs/ocfs2/xattr.c
@@ -2476,9 +2476,9 @@ static int ocfs2_xattr_ibody_remove(struct inode *inode,
 		.vb_access = ocfs2_journal_access_di,
 	};
 
-	header = (struct ocfs2_xattr_header *)
-		 ((void *)di + inode->i_sb->s_blocksize -
-		 le16_to_cpu(di->i_xattr_inline_size));
+	ret = ocfs2_xattr_ibody_lookup_header(inode, di, &header);
+	if (ret)
+		return ret;
 
 	ret = ocfs2_remove_value_outside(inode, &vb, header,
 					 ref_ci, ref_root_bh);
-- 
2.43.0