From: ZhengYuan Huang Date: Fri, 8 May 2026 08:59:13 +0000 (+0800) Subject: ocfs2: validate inline xattr header before inline refcount attach X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4523ba0ee2e9ab6ee9c4b20b2867c3e4aa01f503;p=thirdparty%2Flinux.git ocfs2: validate inline xattr header before inline refcount attach [BUG] A corrupt inline xattr header can make ocfs2_xattr_inline_attach_refcount() feed an unchecked header into the refcount-attachment walk for inline xattr values. [CAUSE] The inline refcount-attach path still derived the header directly from di->i_xattr_inline_size and then passed it to code that iterates xh_count and xattr entries. [FIX] Use the shared ibody header helper before attaching refcounts to inline xattr values so corrupt header geometry is rejected with -EFSCORRUPTED instead of being traversed. Link: https://lore.kernel.org/20260508085914.61647-5-gality369@gmail.com Signed-off-by: ZhengYuan Huang Reviewed-by: Joseph Qi Cc: Changwei Ge Cc: Heming Zhao Cc: Jia-Ju Bai Cc: Joel Becker Cc: Jun Piao Cc: Junxiao Bi Cc: Mark Fasheh Cc: Zixuan Fu Signed-off-by: Andrew Morton --- diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c index bbb25a01b097..4877406a83ce 100644 --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ -6016,14 +6016,17 @@ static int ocfs2_xattr_inline_attach_refcount(struct inode *inode, struct ocfs2_cached_dealloc_ctxt *dealloc) { struct ocfs2_dinode *di = (struct ocfs2_dinode *)fe_bh->b_data; - struct ocfs2_xattr_header *header = (struct ocfs2_xattr_header *) - (fe_bh->b_data + inode->i_sb->s_blocksize - - le16_to_cpu(di->i_xattr_inline_size)); + struct ocfs2_xattr_header *header; + int ret; struct ocfs2_xattr_value_buf vb = { .vb_bh = fe_bh, .vb_access = ocfs2_journal_access_di, }; + ret = ocfs2_xattr_ibody_lookup_header(inode, di, &header); + if (ret) + return ret; + return ocfs2_xattr_attach_refcount_normal(inode, &vb, header, ref_ci, ref_root_bh, dealloc); }