ext4: xattr: fix null pointer deref in ext4_raw_inode()

jira VULN-66825
cve-bf CVE-2025-37738
commit-author Karina Yankevich <k.yankevich@omp.ru>
commit b97cb7d

If ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED),
iloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all()
lacks error checking, this will lead to a null pointer dereference
in ext4_raw_inode(), called right after ext4_get_inode_loc().

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: c8e008b ("ext4: ignore xattrs past end")
	Cc: stable@kernel.org
	Signed-off-by: Karina Yankevich <k.yankevich@omp.ru>
	Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
	Reviewed-by: Baokun Li <libaokun1@huawei.com>
Message-ID: <20251022093253.3546296-1-k.yankevich@omp.ru>
	Signed-off-by: Theodore Ts'o <tytso@mit.edu>
(cherry picked from commit b97cb7d)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

Author: PlaidCat

fs/ext4/xattr.c

@@ -1137,7 +1137,11 @@ ext4_xattr_inode_dec_ref_all(handle_t *handle, struct inode *parent,
 	if (block_csum)
 		end = (void *)bh->b_data + bh->b_size;
 	else {
-		ext4_get_inode_loc(parent, &iloc);
+		err = ext4_get_inode_loc(parent, &iloc);
+		if (err) {
+			EXT4_ERROR_INODE(parent, "parent inode loc (error %d)", err);
+			return;
+		}
 		end = (void *)ext4_raw_inode(&iloc) + EXT4_SB(parent->i_sb)->s_inode_size;
 	}