ocfs2: validate inline xattr header before reflinking inline xattrs

[BUG]
A corrupt inline xattr header can make ocfs2_reflink_xattr_inline() lock,
copy, and reflink xattr state from an unchecked ibody xattr header.

[CAUSE]
The inline reflink path still trusted di->i_xattr_inline_size to compute
header_off, xh, and new_xh before handing the source header to the reflink
allocator and copy logic.

[FIX]
Validate the source inode's inline xattr header with the shared helper
first, then derive the reflink copy offsets from the validated inline
size/header. This keeps the reflink path from traversing corrupt ibody
xattr geometry.

Link: https://lore.kernel.org/20260508085914.61647-6-gality369@gmail.com
Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Heming Zhao <heming.zhao@suse.com>
Cc: Jia-Ju Bai <baijiaju1990@gmail.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Zixuan Fu <r33s3n6@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
index 4877406a83ceebeab4bdc4268b57b60c5bd5dd56..fcddd3c13acdddd24666eaf93dd0fce0ea958b02 100644 (file)
--- a/fs/ocfs2/xattr.c
+++ b/fs/ocfs2/xattr.c
@@ -6511,12 +6511,10 @@ static int ocfs2_reflink_xattr_inline(struct ocfs2_xattr_reflink *args)
        handle_t *handle;
        struct ocfs2_super *osb = OCFS2_SB(args->old_inode->i_sb);
        struct ocfs2_dinode *di = (struct ocfs2_dinode *)args->old_bh->b_data;
-       int inline_size = le16_to_cpu(di->i_xattr_inline_size);
-       int header_off = osb->sb->s_blocksize - inline_size;
-       struct ocfs2_xattr_header *xh = (struct ocfs2_xattr_header *)
-                                       (args->old_bh->b_data + header_off);
-       struct ocfs2_xattr_header *new_xh = (struct ocfs2_xattr_header *)
-                                       (args->new_bh->b_data + header_off);
+       int inline_size;
+       int header_off;
+       struct ocfs2_xattr_header *xh;
+       struct ocfs2_xattr_header *new_xh;
        struct ocfs2_alloc_context *meta_ac = NULL;
        struct ocfs2_inode_info *new_oi;
        struct ocfs2_dinode *new_di;
@@ -6525,6 +6523,15 @@ static int ocfs2_reflink_xattr_inline(struct ocfs2_xattr_reflink *args)
                .vb_access = ocfs2_journal_access_di,
        };
 
+       ret = ocfs2_xattr_ibody_lookup_header(args->old_inode, di, &xh);
+       if (ret)
+               goto out;
+
+       inline_size = le16_to_cpu(di->i_xattr_inline_size);
+       header_off = osb->sb->s_blocksize - inline_size;
+       new_xh = (struct ocfs2_xattr_header *)
+               (args->new_bh->b_data + header_off);
+
        ret = ocfs2_reflink_lock_xattr_allocators(osb, xh, args->ref_root_bh,
                                                  &credits, &meta_ac);
        if (ret) {