[PATCH] ext4: bail out when EXT4_INLINE_DATA_FL lacks system.data xattr

[Moon Hee Lee <moonhee.lee.ca@gmail.com>]

A syzbot-generated disk image triggered a BUG_ON in
ext4_update_inline_data() when an inode had the EXT4_INLINE_DATA_FL flag
set but lacked the required system.data extended attribute.

ext4_prepare_inline_data() now checks for the presence of this xattr and
returns -EFSCORRUPTED if it is missing. This prevents corrupted inodes
from reaching the update path and causing a crash.

[1] Syzbot crash log:

  EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback.
  fscrypt: AES-256-XTS using implementation "xts-aes-aesni-avx"
  loop0: detected capacity change from 512 to 64
  ------------[ cut here ]------------
  kernel BUG at fs/ext4/inline.c:357!
  Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
  CPU: 0 UID: 0 PID: 5499 Comm: syz.0.16 Not tainted 6.16.0-rc4-syzkaller-00348-g772b78c2abd8 #0 PREEMPT(full)
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
  RIP: 0010:ext4_update_inline_data+0x4e8/0x4f0 fs/ext4/inline.c:357
  Code: ...
  Call Trace:
   <TASK>
   ext4_prepare_inline_data+0x141/0x1d0 fs/ext4/inline.c:415
   ext4_generic_write_inline_data+0x207/0xc90 fs/ext4/inline.c:692
   ext4_try_to_write_inline_data+0x80/0xa0 fs/ext4/inline.c:763
   ext4_write_begin+0x2d8/0x1680 fs/ext4/inode.c:1281
   generic_perform_write+0x2c7/0x910 mm/filemap.c:4112
   ext4_buffered_write_iter+0xce/0x3a0 fs/ext4/file.c:299
   ext4_file_write_iter+0x298/0x1bc0 fs/ext4/file.c:-1
   new_sync_write fs/read_write.c:593 [inline]
   vfs_write+0x548/0xa90 fs/read_write.c:686
   ksys_write+0x145/0x250 fs/read_write.c:738
   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
   do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
   entry_SYSCALL_64_after_hwframe+0x77/0x7f
  RIP: ...
   </TASK>

[2] Reproducer image:
  https://storage.googleapis.com/syzbot-assets/f97118969515/mount_0.gz

[3] e2fsck output on the provided image:

  $ e2fsck -fn mount_0
    e2fsck 1.47.0 (5-Feb-2023)
    One or more block group descriptor checksums are invalid.  Fix? no

    Group descriptor 0 checksum is 0x8245, should be 0x353a.  IGNORED.
    Pass 1: Checking inodes, blocks, and sizes
    Inode 12 has INLINE_DATA_FL flag but extended attribute not found.  Truncate? no
    Inode 16, i_blocks is 3298534883346, should be 18.  Fix? no
    Inode 17, i_blocks is 17592186044416, should be 0.  Fix? no

    Pass 2: Checking directory structure
    Symlink /file0/file1 (inode #14) is invalid.
    Clear? no

    Entry 'file1' in /file0 (12) has an incorrect filetype (was 7, should be 0).
    Fix? no

    Directory inode 11, block #5, offset 0: directory corrupted
    Salvage? no

    e2fsck: aborted
    syzkaller: ********** WARNING: Filesystem still has errors **********

Reported-by: syzbot+544248a761451c0df72f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=544248a761451c0df72f
Fixes: 67cf5b09a46f ("ext4: add the basic function for inline data support")
Tested-by: syzbot+544248a761451c0df72f@syzkaller.appspotmail.com
Signed-off-by: Moon Hee Lee <moonhee.lee.ca@gmail.com>
---
 fs/ext4/inline.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index a1bbcdf40824..d9dcb0b09e5c 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -399,6 +399,13 @@ static int ext4_update_inline_data(handle_t *handle, struct inode *inode,
 static int ext4_prepare_inline_data(handle_t *handle, struct inode *inode,
 				    loff_t len)
 {
+	struct ext4_xattr_ibody_find is = {
+		.s = { .not_found = -ENODATA, },
+	};
+	struct ext4_xattr_info i = {
+		.name_index = EXT4_XATTR_INDEX_SYSTEM,
+		.name = EXT4_XATTR_SYSTEM_DATA,
+	};
 	int ret, size, no_expand;
 	struct ext4_inode_info *ei = EXT4_I(inode);
 
@@ -409,6 +416,19 @@ static int ext4_prepare_inline_data(handle_t *handle, struct inode *inode,
 	if (size < len)
 		return -ENOSPC;
 
+	ret = ext4_get_inode_loc(inode, &is.iloc);
+	if (ret)
+		goto out;
+
+	ret = ext4_xattr_ibody_find(inode, &i, &is);
+	if (ret)
+		goto out;
+
+	if (is.s.not_found) {
+		ret = -EFSCORRUPTED;
+		goto out;
+	}
+
 	ext4_write_lock_xattr(inode, &no_expand);
 
 	if (ei->i_inline_off)
@@ -417,6 +437,8 @@ static int ext4_prepare_inline_data(handle_t *handle, struct inode *inode,
 		ret = ext4_create_inline_data(handle, inode, len);
 
 	ext4_write_unlock_xattr(inode, &no_expand);
+out:
+	brelse(is.iloc.bh);
 	return ret;
 }
 
-- 
2.43.0