Re: [PATCH 4/5] ocfs2: validate inline xattr header before inline refcount attach
From: Joseph Qi
Date: Mon May 11 2026 - 02:35:47 EST
On 5/8/26 4:59 PM, ZhengYuan Huang wrote:
> [BUG]
> A corrupt inline xattr header can make ocfs2_xattr_inline_attach_refcount()
> feed an unchecked header into the refcount-attachment walk for inline
> xattr values.
>
> [CAUSE]
> The inline refcount-attach path still derived the header directly from
> di->i_xattr_inline_size and then passed it to code that iterates xh_count
> and xattr entries.
>
> [FIX]
> Use the shared ibody header helper before attaching refcounts to inline
> xattr values so corrupt header geometry is rejected with -EFSCORRUPTED
> instead of being traversed.
>
> Signed-off-by: ZhengYuan Huang <gality369@xxxxxxxxx>
Looks fine.
Reviewed-by: Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx>
> ---
> fs/ocfs2/xattr.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c
> index bbb25a01b097..4877406a83ce 100644
> --- a/fs/ocfs2/xattr.c
> +++ b/fs/ocfs2/xattr.c
> @@ -6016,14 +6016,17 @@ static int ocfs2_xattr_inline_attach_refcount(struct inode *inode,
> struct ocfs2_cached_dealloc_ctxt *dealloc)
> {
> struct ocfs2_dinode *di = (struct ocfs2_dinode *)fe_bh->b_data;
> - struct ocfs2_xattr_header *header = (struct ocfs2_xattr_header *)
> - (fe_bh->b_data + inode->i_sb->s_blocksize -
> - le16_to_cpu(di->i_xattr_inline_size));
> + struct ocfs2_xattr_header *header;
> + int ret;
> struct ocfs2_xattr_value_buf vb = {
> .vb_bh = fe_bh,
> .vb_access = ocfs2_journal_access_di,
> };
>
> + ret = ocfs2_xattr_ibody_lookup_header(inode, di, &header);
> + if (ret)
> + return ret;
> +
> return ocfs2_xattr_attach_refcount_normal(inode, &vb, header,
> ref_ci, ref_root_bh, dealloc);
> }