[PATCH 2/3] jffs2: clean up xattr refs in jffs2_del_ino_cache instead of BUG_ON

[Tristan Madani]

From: Tristan Madani <tristan at talencesecurity.com>

jffs2_del_ino_cache() triggers BUG_ON(old->xref) when an inode cache
entry still has xattr references.  This can happen during unmount:
generic_shutdown_super() calls evict_inodes() before put_super(), but
jffs2_evict_inode -> jffs2_do_clear_inode -> jffs2_xattr_delete_inode
only clears xrefs when pino_nlink == 0.  For inodes with nlink > 0
at unmount time, xrefs survive past eviction, and the subsequent
jffs2_del_ino_cache() hits the BUG_ON.

Replace the BUG_ON with a call to jffs2_xattr_free_inode(), which
walks the xref list and frees each entry without writing delete markers
to flash.  This is appropriate during unmount since the flash state
will be reconstructed by the next mount scan anyway.

jffs2_xattr_free_inode() already exists for this purpose and is used
by jffs2_clear_xattr_subsystem() in the put_super path, but that
runs too late -- after jffs2_del_ino_cache has already been called
from evict_inode.

Reported-by: syzbot+44664704c1494ad5f7a0 at syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=44664704c1494ad5f7a0
Fixes: aa98d7cf59b5 ("[JFFS2][XATTR] XATTR support on JFFS2 (version 5)")
Cc: stable at vger.kernel.org
Signed-off-by: Tristan Madani <tristan at talencesecurity.com>
---
 fs/jffs2/nodelist.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/jffs2/nodelist.c b/fs/jffs2/nodelist.c
index b86c78d178c60..9af269b78b241 100644
--- a/fs/jffs2/nodelist.c
+++ b/fs/jffs2/nodelist.c
@@ -459,7 +459,8 @@ void jffs2_del_ino_cache(struct jffs2_sb_info *c, struct jffs2_inode_cache *old)
 	struct jffs2_inode_cache **prev;
 
 #ifdef CONFIG_JFFS2_FS_XATTR
-	BUG_ON(old->xref);
+	if (old->xref)
+		jffs2_xattr_free_inode(c, old);
 #endif
 	dbg_inocache("del %p (ino #%u)\n", old, old->ino);
 	spin_lock(&c->inocache_lock);
-- 
2.47.3