Commit 099b847c authored by Theodore Ts'o's avatar Theodore Ts'o
Browse files

ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr 



A syzbot fuzzed image triggered a BUG_ON in ext4_update_inline_data()
when an inode had the INLINE_DATA_FL flag set but was missing the
system.data extended attribute.

Since this can happen due to a maiciouly fuzzed file system, we
shouldn't BUG, but rather, report it as a corrupted file system.

Add similar replacements of BUG_ON with EXT4_ERROR_INODE() ii
ext4_create_inline_data() and ext4_inline_data_truncate().

Reported-by: default avatar <syzbot+544248a761451c0df72f@syzkaller.appspotmail.com>
Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
parent a3ce570a

fs/ext4/inline.c

+16 −3
Original line number Diff line number Diff line
@@ -303,7 +303,11 @@ static int ext4_create_inline_data(handle_t *handle, 
	if (error)

		goto out;



	BUG_ON(!is.s.not_found);

	if (!is.s.not_found) {

		EXT4_ERROR_INODE(inode, "unexpected inline data xattr");

		error = -EFSCORRUPTED;

		goto out;

	}



	error = ext4_xattr_ibody_set(handle, inode, &i, &is);

	if (error) {
@@ -354,7 +358,11 @@ static int ext4_update_inline_data(handle_t *handle, struct inode *inode, 
	if (error)

		goto out;



	BUG_ON(is.s.not_found);

	if (is.s.not_found) {

		EXT4_ERROR_INODE(inode, "missing inline data xattr");

		error = -EFSCORRUPTED;

		goto out;

	}



	len -= EXT4_MIN_INLINE_DATA_SIZE;

	value = kzalloc(len, GFP_NOFS);
@@ -1869,7 +1877,12 @@ int ext4_inline_data_truncate(struct inode *inode, int *has_inline) 
			if ((err = ext4_xattr_ibody_find(inode, &i, &is)) != 0)

				goto out_error;



			BUG_ON(is.s.not_found);

			if (is.s.not_found) {

				EXT4_ERROR_INODE(inode,

						 "missing inline data xattr");

				err = -EFSCORRUPTED;

				goto out_error;

			}



			value_len = le32_to_cpu(is.s.here->e_value_size);

			value = kmalloc(value_len, GFP_NOFS);