Thanks for the review, Jan.

You're right that v1 failed to identify why the buffer changes.  I dug
into the syzbot reproducer — the corruption path is:

  1. Mount a crafted ext4 image on a loop device
  2. Bind-mount the loop device, open + mmap it MAP_SHARED|PROT_WRITE
  3. Write through the mapping — this overwrites the inline xattr
     entry directly in the bdev page cache

The inode buffer_head stays uptodate throughout, so no re-validation
ever triggers — xattr_check_inode() at iget time is thorough but only
runs once, leaving subsequent in-place corruption of the page cache
undetected.

However, ext4_xattr_ibody_get() already guards against this with a
bounds check before its memcpy (xattr.c:674).  ext4_read_inline_data()
lacks the same check because it indexes via the cached i_inline_off,
bypassing xattr_find_entry() entirely.  I think aligning the two paths
is worthwhile, and it would also clear this syzbot report.

Would a v2 with this framing be acceptable to you?

Many thanks，
Junjie