From: Dave Chinner <david@fromorbit.com>
To: "Darrick J. Wong" <djwong@kernel.org>
Cc: linux-xfs@vger.kernel.org
Subject: Re: [PATCH 1/4] xfs: fully initialize xfs_da_args in xchk_directory_blocks
Date: Fri, 14 Oct 2022 09:33:56 +1100 [thread overview]
Message-ID: <20221013223356.GA3600936@dread.disaster.area> (raw)
In-Reply-To: <166473478865.1083155.10793868656289104615.stgit@magnolia>
On Sun, Oct 02, 2022 at 11:19:48AM -0700, Darrick J. Wong wrote:
> From: Darrick J. Wong <djwong@kernel.org>
>
> While running the online fsck test suite, I noticed the following
> assertion in the kernel log (edited for brevity):
>
> XFS: Assertion failed: 0, file: fs/xfs/xfs_health.c, line: 571
> ------------[ cut here ]------------
> WARNING: CPU: 3 PID: 11667 at fs/xfs/xfs_message.c:104 assfail+0x46/0x4a [xfs]
> CPU: 3 PID: 11667 Comm: xfs_scrub Tainted: G W 5.19.0-rc7-xfsx #rc7 6e6475eb29fd9dda3181f81b7ca7ff961d277a40
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
> RIP: 0010:assfail+0x46/0x4a [xfs]
> Call Trace:
> <TASK>
> xfs_dir2_isblock+0xcc/0xe0
> xchk_directory_blocks+0xc7/0x420
> xchk_directory+0x53/0xb0
> xfs_scrub_metadata+0x2b6/0x6b0
> xfs_scrubv_metadata+0x35e/0x4d0
> xfs_ioc_scrubv_metadata+0x111/0x160
> xfs_file_ioctl+0x4ec/0xef0
> __x64_sys_ioctl+0x82/0xa0
> do_syscall_64+0x2b/0x80
> entry_SYSCALL_64_after_hwframe+0x46/0xb0
>
> This assertion triggers in xfs_dirattr_mark_sick when the caller passes
> in a whichfork value that is neither of XFS_{DATA,ATTR}_FORK. The cause
> of this is that xchk_directory_blocks only partially initializes the
> xfs_da_args structure that is passed to xfs_dir2_isblock. If the data
> fork is not correct, the XFS_IS_CORRUPT clause will trigger. My
> development branch reports this failure to the health monitoring
> subsystem, which accesses the uninitialized args->whichfork field,
> leading the the assertion tripping. We really shouldn't be passing
> random stack contents around, so the solution here is to force the
> compiler to zero-initialize the struct.
>
> Found by fuzzing u3.bmx[0].blockcount = middlebit on xfs/1554.
>
> Signed-off-by: Darrick J. Wong <djwong@kernel.org>
> ---
> fs/xfs/scrub/dir.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
Looks good, surprised it took this long to trip over this...
Reviewed-by: Dave Chinner <dchinner@redhat.com>
--
Dave Chinner
david@fromorbit.com
next prev parent reply other threads:[~2022-10-13 22:34 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-02 18:19 [PATCHSET v23.1 0/4] xfs: fix handling of AG[IF] header buffers during scrub Darrick J. Wong
2022-10-02 18:19 ` [PATCH 1/4] xfs: fully initialize xfs_da_args in xchk_directory_blocks Darrick J. Wong
2022-10-13 22:33 ` Dave Chinner [this message]
2022-10-02 18:19 ` [PATCH 3/4] xfs: set the buffer type after holding the AG[IF] across trans_roll Darrick J. Wong
2022-10-13 22:25 ` Dave Chinner
2022-10-13 23:19 ` Darrick J. Wong
2022-10-14 1:28 ` Dave Chinner
2022-10-24 4:16 ` Darrick J. Wong
2022-10-31 18:08 ` [PATCH v23.2 3/4] xfs: log the AGI/AGF buffers when rolling transactions during an AG repair Darrick J. Wong
2022-10-31 21:17 ` Dave Chinner
2022-10-02 18:19 ` [PATCH 2/4] xfs: don't track the AGFL buffer in the scrub AG context Darrick J. Wong
2022-10-13 22:32 ` Dave Chinner
2022-10-02 18:19 ` [PATCH 4/4] xfs: make AGFL repair function avoid crosslinked blocks Darrick J. Wong
2022-10-13 22:35 ` Dave Chinner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221013223356.GA3600936@dread.disaster.area \
--to=david@fromorbit.com \
--cc=djwong@kernel.org \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.