From: ZhengYuan Huang Date: Fri, 8 May 2026 08:59:11 +0000 (+0800) Subject: ocfs2: validate inline xattr header before checking outside values X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a61b83dd83ed44e937de7aead2b4ddd3ad32e3f8;p=thirdparty%2Flinux.git ocfs2: validate inline xattr header before checking outside values [BUG] A corrupt inline xattr header can make ocfs2_has_inline_xattr_value_outside() walk xh_count from an unchecked header while refcount-tree teardown decides whether inline xattrs still point outside the inode body. [CAUSE] ocfs2_has_inline_xattr_value_outside() still computed the inline header directly from di->i_xattr_inline_size and immediately iterated xh_count. That is the same unchecked metadata boundary as the ibody lookup bug. [FIX] Reuse the shared inline-header helper before iterating xh_count. Because this helper returns a boolean-style answer to its caller, treat a corrupt header conservatively as "has outside values" instead of walking it. Link: https://lore.kernel.org/20260508085914.61647-3-gality369@gmail.com Signed-off-by: ZhengYuan Huang Reviewed-by: Joseph Qi Cc: Changwei Ge Cc: Heming Zhao Cc: Jia-Ju Bai Cc: Joel Becker Cc: Jun Piao Cc: Junxiao Bi Cc: Mark Fasheh Cc: Zixuan Fu Signed-off-by: Andrew Morton --- diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c index 3a5a17cdcf7e..05f6f0a886cf 100644 --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ -989,11 +989,12 @@ int ocfs2_has_inline_xattr_value_outside(struct inode *inode, struct ocfs2_dinode *di) { struct ocfs2_xattr_header *xh; + int ret; int i; - xh = (struct ocfs2_xattr_header *) - ((void *)di + inode->i_sb->s_blocksize - - le16_to_cpu(di->i_xattr_inline_size)); + ret = ocfs2_xattr_ibody_lookup_header(inode, di, &xh); + if (ret) + return 1; for (i = 0; i < le16_to_cpu(xh->xh_count); i++) if (!ocfs2_xattr_is_local(&xh->xh_entries[i]))