In ll_dir_ioctl() LL_IOC_LMV_SETSTRIPE: we pass lmv_user_md * lum to ll_dir_setdirstripe() but not lumlen. Hence no validation of lmm_stripe_count vs lumlen. (Future issue.)

In ll_dir_ioctl() IOC_LOV_GETINFO: an OOB array access/swab if lum_stripe_count (from US) does not agree with lmmsize.

In ll_lov_getstripe_ea_info() we should verify that lmmsize (from wire) agrees with lmm_stripe_count.

Style: In ll_lov_getstripe_ea_info() there are vars named lmmsize and lmm_size.

ll_dir_setstripe() checks senselessly for LMV_USER_MAGIC.

In mdt_setattr_unpack() we should check that ma_lmm_size (from RMF) agrees with sizeof(*lmm)/lmm_stripe_count.

In ll_setxattr() need to verity that passed size is at least sizeof(...).

lov_setstripe() is never called.

Why do we have LOV_USER_MAGIC_V1 and LOV_MAGIC_V1? Why isn't one defined to be the other? And similarly for the other LOV/LMV defines.

Should the MDT reint unpackers check for BE lmm_magic and swab accordingly?

In ll_lov_setstripe() what is the purpose of put_user(0, &lumv1p->lmm_stripe_count)? I cannot see that llapi checks this afterwards.