Re: [PATCH] ocfs2: fix out-of-bounds write in ocfs2_write_end_inline

[Joseph Qi]

On 4/4/26 3:28 AM, Andrew Morton wrote:
> On Fri,  3 Apr 2026 14:38:30 +0800 Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx> wrote:
> 
>> KASAN reports a use-after-free write of 4086 bytes in
>> ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a
>> copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted
>> on a loop device. The actual bug is an out-of-bounds write past the
>> inode block buffer, not a true use-after-free. The write overflows into
>> an adjacent freed page, which KASAN reports as UAF.
>>
>> The root cause is that ocfs2_try_to_write_inline_data trusts the
>> on-disk id_count field to determine whether a write fits in inline
>> data. On a corrupted filesystem, id_count can exceed the physical
>> maximum inline data capacity, causing writes to overflow the inode
>> block buffer.
>>
>> Call trace (crash path):
>>
>>    vfs_copy_file_range (fs/read_write.c:1634)
>>      do_splice_direct
>>        splice_direct_to_actor
>>          iter_file_splice_write
>>            ocfs2_file_write_iter
>>              generic_perform_write
>>                ocfs2_write_end
>>                  ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949)
>>                    ocfs2_write_end_inline (fs/ocfs2/aops.c:1915)
>>                      memcpy_from_folio     <-- KASAN: write OOB
>>
>> So add id_count upper bound check in ocfs2_validate_inode_block() to
>> alongside the existing i_size check to fix it.
> 
> AI review had a question:
> 	https://sashiko.dev/#/patchset/20260403063830.3662739-1-joseph.qi@xxxxxxxxxxxxxxxxx

Sashiko worries about it can't handle the case OCFS2_INLINE_DATA_FL not set.
I think it is a seprated case.

Thanks,
Joseph