| Message ID | 20241216134600.8308-1-chao@kernel.org (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [f2fs-dev] f2fs: fix to do sanity check correctly on i_inline_xattr_size | expand |
On 12/16, Chao Yu wrote: > syzbot reported an out-of-range access issue as below: > > UBSAN: array-index-out-of-bounds in fs/f2fs/f2fs.h:3292:19 > index 18446744073709550491 is out of range for type '__le32[923]' (aka 'unsigned int[923]') > CPU: 0 UID: 0 PID: 5338 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10689-g7af08b57bcb9 #0 > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 > Call Trace: > <TASK> > __dump_stack lib/dump_stack.c:94 [inline] > dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 > ubsan_epilogue lib/ubsan.c:231 [inline] > __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429 > read_inline_xattr+0x273/0x280 > lookup_all_xattrs fs/f2fs/xattr.c:341 [inline] > f2fs_getxattr+0x57b/0x13b0 fs/f2fs/xattr.c:533 > vfs_getxattr_alloc+0x472/0x5c0 fs/xattr.c:393 > ima_read_xattr+0x38/0x60 security/integrity/ima/ima_appraise.c:229 > process_measurement+0x117a/0x1fb0 security/integrity/ima/ima_main.c:353 > ima_file_check+0xd9/0x120 security/integrity/ima/ima_main.c:572 > security_file_post_open+0xb9/0x280 security/security.c:3121 > do_open fs/namei.c:3830 [inline] > path_openat+0x2ccd/0x3590 fs/namei.c:3987 > do_file_open_root+0x3a7/0x720 fs/namei.c:4039 > file_open_root+0x247/0x2a0 fs/open.c:1382 > do_handle_open+0x85b/0x9d0 fs/fhandle.c:414 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > index: 18446744073709550491 (decimal, unsigned long long) > = 0xfffffffffffffb9b (hexadecimal) = -1125 (decimal, long long) > UBSAN detects that inline_xattr_addr() tries to access .i_addr[-1125]. > > w/ below testcase, it can reproduce this bug easily: > - mkfs.f2fs -f -O extra_attr,flexible_inline_xattr /dev/sdb > - mount -o inline_xattr_size=512 /dev/sdb /mnt/f2fs > - touch /mnt/f2fs/file > - umount /mnt/f2fs > - inject.f2fs --node --mb i_inline --nid 4 --val 0x1 /dev/sdb > - inject.f2fs --node --mb i_inline_xattr_size --nid 4 --val 2048 /dev/sdb > - mount /dev/sdb /mnt/f2fs > - getfattr /mnt/f2fs/file > > The root cause is if metadata of filesystem and inode were fuzzed as below: > - extra_attr feature is enabled > - flexible_inline_xattr feature is enabled > - ri.i_inline_xattr_size = 2048 > - F2FS_EXTRA_ATTR bit in ri.i_inline was not set > > sanity_check_inode() will skip doing sanity check on fi->i_inline_xattr_size, > result in using invalid inline_xattr_size later incorrectly, fix it. > > Meanwhile, let's fix to check lower boundary for .i_inline_xattr_size w/ > MIN_INLINE_XATTR_SIZE like we did in parse_options(). > > Fixes: 6afc662e68b5 ("f2fs: support flexible inline xattr size") > Reported-by: syzbot+69f5379a1717a0b982a1@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/linux-f2fs-devel/674f4e7d.050a0220.17bd51.004f.GAE@google.com > Signed-off-by: Chao Yu <chao@kernel.org> > --- > fs/f2fs/inode.c | 19 ++++++++++--------- > 1 file changed, 10 insertions(+), 9 deletions(-) > > diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c > index 282fd320bdb3..29ccc64faae9 100644 > --- a/fs/f2fs/inode.c > +++ b/fs/f2fs/inode.c > @@ -302,15 +302,6 @@ static bool sanity_check_inode(struct inode *inode, struct page *node_page) > F2FS_TOTAL_EXTRA_ATTR_SIZE); > return false; > } > - if (f2fs_sb_has_flexible_inline_xattr(sbi) && > - f2fs_has_inline_xattr(inode) && > - (!fi->i_inline_xattr_size || > - fi->i_inline_xattr_size > MAX_INLINE_XATTR_SIZE)) { > - f2fs_warn(sbi, "%s: inode (ino=%lx) has corrupted i_inline_xattr_size: %d, max: %lu", > - __func__, inode->i_ino, fi->i_inline_xattr_size, > - MAX_INLINE_XATTR_SIZE); > - return false; > - } > if (f2fs_sb_has_compression(sbi) && > fi->i_flags & F2FS_COMPR_FL && > F2FS_FITS_IN_INODE(ri, fi->i_extra_isize, > @@ -320,6 +311,16 @@ static bool sanity_check_inode(struct inode *inode, struct page *node_page) > } > } > > + if (f2fs_sb_has_flexible_inline_xattr(sbi) && > + f2fs_has_inline_xattr(inode) && > + (fi->i_inline_xattr_size < MIN_INLINE_XATTR_SIZE || > + fi->i_inline_xattr_size > MAX_INLINE_XATTR_SIZE)) { > + f2fs_warn(sbi, "%s: inode (ino=%lx) has corrupted i_inline_xattr_size: %d, min: %u, max: %lu", --> %lu? > + __func__, inode->i_ino, fi->i_inline_xattr_size, > + MIN_INLINE_XATTR_SIZE, MAX_INLINE_XATTR_SIZE); > + return false; > + } > + > if (!f2fs_sb_has_extra_attr(sbi)) { > if (f2fs_sb_has_project_quota(sbi)) { > f2fs_warn(sbi, "%s: corrupted inode ino=%lx, wrong feature flag: %u, run fsck to fix.", > -- > 2.40.1
On 1/8/25 03:28, Jaegeuk Kim wrote: > On 12/16, Chao Yu wrote: >> syzbot reported an out-of-range access issue as below: >> >> UBSAN: array-index-out-of-bounds in fs/f2fs/f2fs.h:3292:19 >> index 18446744073709550491 is out of range for type '__le32[923]' (aka 'unsigned int[923]') >> CPU: 0 UID: 0 PID: 5338 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10689-g7af08b57bcb9 #0 >> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 >> Call Trace: >> <TASK> >> __dump_stack lib/dump_stack.c:94 [inline] >> dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 >> ubsan_epilogue lib/ubsan.c:231 [inline] >> __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429 >> read_inline_xattr+0x273/0x280 >> lookup_all_xattrs fs/f2fs/xattr.c:341 [inline] >> f2fs_getxattr+0x57b/0x13b0 fs/f2fs/xattr.c:533 >> vfs_getxattr_alloc+0x472/0x5c0 fs/xattr.c:393 >> ima_read_xattr+0x38/0x60 security/integrity/ima/ima_appraise.c:229 >> process_measurement+0x117a/0x1fb0 security/integrity/ima/ima_main.c:353 >> ima_file_check+0xd9/0x120 security/integrity/ima/ima_main.c:572 >> security_file_post_open+0xb9/0x280 security/security.c:3121 >> do_open fs/namei.c:3830 [inline] >> path_openat+0x2ccd/0x3590 fs/namei.c:3987 >> do_file_open_root+0x3a7/0x720 fs/namei.c:4039 >> file_open_root+0x247/0x2a0 fs/open.c:1382 >> do_handle_open+0x85b/0x9d0 fs/fhandle.c:414 >> do_syscall_x64 arch/x86/entry/common.c:52 [inline] >> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 >> entry_SYSCALL_64_after_hwframe+0x77/0x7f >> >> index: 18446744073709550491 (decimal, unsigned long long) >> = 0xfffffffffffffb9b (hexadecimal) = -1125 (decimal, long long) >> UBSAN detects that inline_xattr_addr() tries to access .i_addr[-1125]. >> >> w/ below testcase, it can reproduce this bug easily: >> - mkfs.f2fs -f -O extra_attr,flexible_inline_xattr /dev/sdb >> - mount -o inline_xattr_size=512 /dev/sdb /mnt/f2fs >> - touch /mnt/f2fs/file >> - umount /mnt/f2fs >> - inject.f2fs --node --mb i_inline --nid 4 --val 0x1 /dev/sdb >> - inject.f2fs --node --mb i_inline_xattr_size --nid 4 --val 2048 /dev/sdb >> - mount /dev/sdb /mnt/f2fs >> - getfattr /mnt/f2fs/file >> >> The root cause is if metadata of filesystem and inode were fuzzed as below: >> - extra_attr feature is enabled >> - flexible_inline_xattr feature is enabled >> - ri.i_inline_xattr_size = 2048 >> - F2FS_EXTRA_ATTR bit in ri.i_inline was not set >> >> sanity_check_inode() will skip doing sanity check on fi->i_inline_xattr_size, >> result in using invalid inline_xattr_size later incorrectly, fix it. >> >> Meanwhile, let's fix to check lower boundary for .i_inline_xattr_size w/ >> MIN_INLINE_XATTR_SIZE like we did in parse_options(). >> >> Fixes: 6afc662e68b5 ("f2fs: support flexible inline xattr size") >> Reported-by: syzbot+69f5379a1717a0b982a1@syzkaller.appspotmail.com >> Closes: https://lore.kernel.org/linux-f2fs-devel/674f4e7d.050a0220.17bd51.004f.GAE@google.com >> Signed-off-by: Chao Yu <chao@kernel.org> >> --- >> fs/f2fs/inode.c | 19 ++++++++++--------- >> 1 file changed, 10 insertions(+), 9 deletions(-) >> >> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c >> index 282fd320bdb3..29ccc64faae9 100644 >> --- a/fs/f2fs/inode.c >> +++ b/fs/f2fs/inode.c >> @@ -302,15 +302,6 @@ static bool sanity_check_inode(struct inode *inode, struct page *node_page) >> F2FS_TOTAL_EXTRA_ATTR_SIZE); >> return false; >> } >> - if (f2fs_sb_has_flexible_inline_xattr(sbi) && >> - f2fs_has_inline_xattr(inode) && >> - (!fi->i_inline_xattr_size || >> - fi->i_inline_xattr_size > MAX_INLINE_XATTR_SIZE)) { >> - f2fs_warn(sbi, "%s: inode (ino=%lx) has corrupted i_inline_xattr_size: %d, max: %lu", >> - __func__, inode->i_ino, fi->i_inline_xattr_size, >> - MAX_INLINE_XATTR_SIZE); >> - return false; >> - } >> if (f2fs_sb_has_compression(sbi) && >> fi->i_flags & F2FS_COMPR_FL && >> F2FS_FITS_IN_INODE(ri, fi->i_extra_isize, >> @@ -320,6 +311,16 @@ static bool sanity_check_inode(struct inode *inode, struct page *node_page) >> } >> } >> >> + if (f2fs_sb_has_flexible_inline_xattr(sbi) && >> + f2fs_has_inline_xattr(inode) && >> + (fi->i_inline_xattr_size < MIN_INLINE_XATTR_SIZE || >> + fi->i_inline_xattr_size > MAX_INLINE_XATTR_SIZE)) { >> + f2fs_warn(sbi, "%s: inode (ino=%lx) has corrupted i_inline_xattr_size: %d, min: %u, max: %lu", > --> %lu? Thanks for fixing. I'd like to fix this in v2, meanwhile including more information from Qasdev's patch. Thanks, >> + __func__, inode->i_ino, fi->i_inline_xattr_size, >> + MIN_INLINE_XATTR_SIZE, MAX_INLINE_XATTR_SIZE); >> + return false; >> + } >> + >> if (!f2fs_sb_has_extra_attr(sbi)) { >> if (f2fs_sb_has_project_quota(sbi)) { >> f2fs_warn(sbi, "%s: corrupted inode ino=%lx, wrong feature flag: %u, run fsck to fix.", >> -- >> 2.40.1
On 01/10, Chao Yu wrote: > On 1/8/25 03:28, Jaegeuk Kim wrote: > > On 12/16, Chao Yu wrote: > > > syzbot reported an out-of-range access issue as below: > > > > > > UBSAN: array-index-out-of-bounds in fs/f2fs/f2fs.h:3292:19 > > > index 18446744073709550491 is out of range for type '__le32[923]' (aka 'unsigned int[923]') > > > CPU: 0 UID: 0 PID: 5338 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10689-g7af08b57bcb9 #0 > > > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 > > > Call Trace: > > > <TASK> > > > __dump_stack lib/dump_stack.c:94 [inline] > > > dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 > > > ubsan_epilogue lib/ubsan.c:231 [inline] > > > __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429 > > > read_inline_xattr+0x273/0x280 > > > lookup_all_xattrs fs/f2fs/xattr.c:341 [inline] > > > f2fs_getxattr+0x57b/0x13b0 fs/f2fs/xattr.c:533 > > > vfs_getxattr_alloc+0x472/0x5c0 fs/xattr.c:393 > > > ima_read_xattr+0x38/0x60 security/integrity/ima/ima_appraise.c:229 > > > process_measurement+0x117a/0x1fb0 security/integrity/ima/ima_main.c:353 > > > ima_file_check+0xd9/0x120 security/integrity/ima/ima_main.c:572 > > > security_file_post_open+0xb9/0x280 security/security.c:3121 > > > do_open fs/namei.c:3830 [inline] > > > path_openat+0x2ccd/0x3590 fs/namei.c:3987 > > > do_file_open_root+0x3a7/0x720 fs/namei.c:4039 > > > file_open_root+0x247/0x2a0 fs/open.c:1382 > > > do_handle_open+0x85b/0x9d0 fs/fhandle.c:414 > > > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > > > do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 > > > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > > > > > index: 18446744073709550491 (decimal, unsigned long long) > > > = 0xfffffffffffffb9b (hexadecimal) = -1125 (decimal, long long) > > > UBSAN detects that inline_xattr_addr() tries to access .i_addr[-1125]. > > > > > > w/ below testcase, it can reproduce this bug easily: > > > - mkfs.f2fs -f -O extra_attr,flexible_inline_xattr /dev/sdb > > > - mount -o inline_xattr_size=512 /dev/sdb /mnt/f2fs > > > - touch /mnt/f2fs/file > > > - umount /mnt/f2fs > > > - inject.f2fs --node --mb i_inline --nid 4 --val 0x1 /dev/sdb > > > - inject.f2fs --node --mb i_inline_xattr_size --nid 4 --val 2048 /dev/sdb > > > - mount /dev/sdb /mnt/f2fs > > > - getfattr /mnt/f2fs/file > > > > > > The root cause is if metadata of filesystem and inode were fuzzed as below: > > > - extra_attr feature is enabled > > > - flexible_inline_xattr feature is enabled > > > - ri.i_inline_xattr_size = 2048 > > > - F2FS_EXTRA_ATTR bit in ri.i_inline was not set > > > > > > sanity_check_inode() will skip doing sanity check on fi->i_inline_xattr_size, > > > result in using invalid inline_xattr_size later incorrectly, fix it. > > > > > > Meanwhile, let's fix to check lower boundary for .i_inline_xattr_size w/ > > > MIN_INLINE_XATTR_SIZE like we did in parse_options(). > > > > > > Fixes: 6afc662e68b5 ("f2fs: support flexible inline xattr size") > > > Reported-by: syzbot+69f5379a1717a0b982a1@syzkaller.appspotmail.com > > > Closes: https://lore.kernel.org/linux-f2fs-devel/674f4e7d.050a0220.17bd51.004f.GAE@google.com > > > Signed-off-by: Chao Yu <chao@kernel.org> > > > --- > > > fs/f2fs/inode.c | 19 ++++++++++--------- > > > 1 file changed, 10 insertions(+), 9 deletions(-) > > > > > > diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c > > > index 282fd320bdb3..29ccc64faae9 100644 > > > --- a/fs/f2fs/inode.c > > > +++ b/fs/f2fs/inode.c > > > @@ -302,15 +302,6 @@ static bool sanity_check_inode(struct inode *inode, struct page *node_page) > > > F2FS_TOTAL_EXTRA_ATTR_SIZE); > > > return false; > > > } > > > - if (f2fs_sb_has_flexible_inline_xattr(sbi) && > > > - f2fs_has_inline_xattr(inode) && > > > - (!fi->i_inline_xattr_size || > > > - fi->i_inline_xattr_size > MAX_INLINE_XATTR_SIZE)) { > > > - f2fs_warn(sbi, "%s: inode (ino=%lx) has corrupted i_inline_xattr_size: %d, max: %lu", > > > - __func__, inode->i_ino, fi->i_inline_xattr_size, > > > - MAX_INLINE_XATTR_SIZE); > > > - return false; > > > - } > > > if (f2fs_sb_has_compression(sbi) && > > > fi->i_flags & F2FS_COMPR_FL && > > > F2FS_FITS_IN_INODE(ri, fi->i_extra_isize, > > > @@ -320,6 +311,16 @@ static bool sanity_check_inode(struct inode *inode, struct page *node_page) > > > } > > > } > > > + if (f2fs_sb_has_flexible_inline_xattr(sbi) && > > > + f2fs_has_inline_xattr(inode) && > > > + (fi->i_inline_xattr_size < MIN_INLINE_XATTR_SIZE || > > > + fi->i_inline_xattr_size > MAX_INLINE_XATTR_SIZE)) { > > > + f2fs_warn(sbi, "%s: inode (ino=%lx) has corrupted i_inline_xattr_size: %d, min: %u, max: %lu", > > --> %lu? > > Thanks for fixing. > > I'd like to fix this in v2, meanwhile including more information from Qasdev's > patch. Ok, let me know. > > Thanks, > > > > + __func__, inode->i_ino, fi->i_inline_xattr_size, > > > + MIN_INLINE_XATTR_SIZE, MAX_INLINE_XATTR_SIZE); > > > + return false; > > > + } > > > + > > > if (!f2fs_sb_has_extra_attr(sbi)) { > > > if (f2fs_sb_has_project_quota(sbi)) { > > > f2fs_warn(sbi, "%s: corrupted inode ino=%lx, wrong feature flag: %u, run fsck to fix.", > > > -- > > > 2.40.1
diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c index 282fd320bdb3..29ccc64faae9 100644 --- a/fs/f2fs/inode.c +++ b/fs/f2fs/inode.c @@ -302,15 +302,6 @@ static bool sanity_check_inode(struct inode *inode, struct page *node_page) F2FS_TOTAL_EXTRA_ATTR_SIZE); return false; } - if (f2fs_sb_has_flexible_inline_xattr(sbi) && - f2fs_has_inline_xattr(inode) && - (!fi->i_inline_xattr_size || - fi->i_inline_xattr_size > MAX_INLINE_XATTR_SIZE)) { - f2fs_warn(sbi, "%s: inode (ino=%lx) has corrupted i_inline_xattr_size: %d, max: %lu", - __func__, inode->i_ino, fi->i_inline_xattr_size, - MAX_INLINE_XATTR_SIZE); - return false; - } if (f2fs_sb_has_compression(sbi) && fi->i_flags & F2FS_COMPR_FL && F2FS_FITS_IN_INODE(ri, fi->i_extra_isize, @@ -320,6 +311,16 @@ static bool sanity_check_inode(struct inode *inode, struct page *node_page) } } + if (f2fs_sb_has_flexible_inline_xattr(sbi) && + f2fs_has_inline_xattr(inode) && + (fi->i_inline_xattr_size < MIN_INLINE_XATTR_SIZE || + fi->i_inline_xattr_size > MAX_INLINE_XATTR_SIZE)) { + f2fs_warn(sbi, "%s: inode (ino=%lx) has corrupted i_inline_xattr_size: %d, min: %u, max: %lu", + __func__, inode->i_ino, fi->i_inline_xattr_size, + MIN_INLINE_XATTR_SIZE, MAX_INLINE_XATTR_SIZE); + return false; + } + if (!f2fs_sb_has_extra_attr(sbi)) { if (f2fs_sb_has_project_quota(sbi)) { f2fs_warn(sbi, "%s: corrupted inode ino=%lx, wrong feature flag: %u, run fsck to fix.",
syzbot reported an out-of-range access issue as below: UBSAN: array-index-out-of-bounds in fs/f2fs/f2fs.h:3292:19 index 18446744073709550491 is out of range for type '__le32[923]' (aka 'unsigned int[923]') CPU: 0 UID: 0 PID: 5338 Comm: syz.0.0 Not tainted 6.12.0-syzkaller-10689-g7af08b57bcb9 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429 read_inline_xattr+0x273/0x280 lookup_all_xattrs fs/f2fs/xattr.c:341 [inline] f2fs_getxattr+0x57b/0x13b0 fs/f2fs/xattr.c:533 vfs_getxattr_alloc+0x472/0x5c0 fs/xattr.c:393 ima_read_xattr+0x38/0x60 security/integrity/ima/ima_appraise.c:229 process_measurement+0x117a/0x1fb0 security/integrity/ima/ima_main.c:353 ima_file_check+0xd9/0x120 security/integrity/ima/ima_main.c:572 security_file_post_open+0xb9/0x280 security/security.c:3121 do_open fs/namei.c:3830 [inline] path_openat+0x2ccd/0x3590 fs/namei.c:3987 do_file_open_root+0x3a7/0x720 fs/namei.c:4039 file_open_root+0x247/0x2a0 fs/open.c:1382 do_handle_open+0x85b/0x9d0 fs/fhandle.c:414 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f index: 18446744073709550491 (decimal, unsigned long long) = 0xfffffffffffffb9b (hexadecimal) = -1125 (decimal, long long) UBSAN detects that inline_xattr_addr() tries to access .i_addr[-1125]. w/ below testcase, it can reproduce this bug easily: - mkfs.f2fs -f -O extra_attr,flexible_inline_xattr /dev/sdb - mount -o inline_xattr_size=512 /dev/sdb /mnt/f2fs - touch /mnt/f2fs/file - umount /mnt/f2fs - inject.f2fs --node --mb i_inline --nid 4 --val 0x1 /dev/sdb - inject.f2fs --node --mb i_inline_xattr_size --nid 4 --val 2048 /dev/sdb - mount /dev/sdb /mnt/f2fs - getfattr /mnt/f2fs/file The root cause is if metadata of filesystem and inode were fuzzed as below: - extra_attr feature is enabled - flexible_inline_xattr feature is enabled - ri.i_inline_xattr_size = 2048 - F2FS_EXTRA_ATTR bit in ri.i_inline was not set sanity_check_inode() will skip doing sanity check on fi->i_inline_xattr_size, result in using invalid inline_xattr_size later incorrectly, fix it. Meanwhile, let's fix to check lower boundary for .i_inline_xattr_size w/ MIN_INLINE_XATTR_SIZE like we did in parse_options(). Fixes: 6afc662e68b5 ("f2fs: support flexible inline xattr size") Reported-by: syzbot+69f5379a1717a0b982a1@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-f2fs-devel/674f4e7d.050a0220.17bd51.004f.GAE@google.com Signed-off-by: Chao Yu <chao@kernel.org> --- fs/f2fs/inode.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-)