ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr

[ Upstream commit 099b847ccc6c1ad2f805d13cfbcc83f5b6d4bc42 ]

A syzbot fuzzed image triggered a BUG_ON in ext4_update_inline_data()
when an inode had the INLINE_DATA_FL flag set but was missing the
system.data extended attribute.

Since this can happen due to a maiciouly fuzzed file system, we
shouldn't BUG, but rather, report it as a corrupted file system.

Add similar replacements of BUG_ON with EXT4_ERROR_INODE() ii
ext4_create_inline_data() and ext4_inline_data_truncate().

Reported-by: syzbot+544248a761451c0df72f@syzkaller.appspotmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 7e8892dad2d736717e53dc5dc0344f9fd9ec31c5..626be0ec3c7a4ec63329f8903f27cf8c3b69596d 100644 (file)
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -296,7 +296,11 @@ static int ext4_create_inline_data(handle_t *handle,
        if (error)
                goto out;
 
-       BUG_ON(!is.s.not_found);
+       if (!is.s.not_found) {
+               EXT4_ERROR_INODE(inode, "unexpected inline data xattr");
+               error = -EFSCORRUPTED;
+               goto out;
+       }
 
        error = ext4_xattr_ibody_set(handle, inode, &i, &is);
        if (error) {
@@ -347,7 +351,11 @@ static int ext4_update_inline_data(handle_t *handle, struct inode *inode,
        if (error)
                goto out;
 
-       BUG_ON(is.s.not_found);
+       if (is.s.not_found) {
+               EXT4_ERROR_INODE(inode, "missing inline data xattr");
+               error = -EFSCORRUPTED;
+               goto out;
+       }
 
        len -= EXT4_MIN_INLINE_DATA_SIZE;
        value = kzalloc(len, GFP_NOFS);
@@ -1978,7 +1986,12 @@ int ext4_inline_data_truncate(struct inode *inode, int *has_inline)
                        if ((err = ext4_xattr_ibody_find(inode, &i, &is)) != 0)
                                goto out_error;
 
-                       BUG_ON(is.s.not_found);
+                       if (is.s.not_found) {
+                               EXT4_ERROR_INODE(inode,
+                                                "missing inline data xattr");
+                               err = -EFSCORRUPTED;
+                               goto out_error;
+                       }
 
                        value_len = le32_to_cpu(is.s.here->e_value_size);
                        value = kmalloc(value_len, GFP_NOFS);