From: Qu Wenruo <wqu@suse.com>
To: linux-btrfs@vger.kernel.org
Subject: [PATCH 2/6] btrfs-progs: check/original: Fix uninitialized stack memory access for deal_root_from_list()
Date: Tue, 24 Mar 2020 18:53:11 +0800 [thread overview]
Message-ID: <20200324105315.136569-3-wqu@suse.com> (raw)
In-Reply-To: <20200324105315.136569-1-wqu@suse.com>
[BUG]
With valgrind, fsck/002 test with original mode would report the
following valgrind error:
==90600== Conditional jump or move depends on uninitialised value(s)
==90600== at 0x15C280: pick_next_pending (main.c:4949)
==90600== by 0x15F3CF: run_next_block (main.c:6175)
==90600== by 0x1655CC: deal_root_from_list (main.c:8486)
==90600== by 0x1660C7: check_chunks_and_extents (main.c:8762)
==90600== by 0x166439: do_check_chunks_and_extents (main.c:8842)
==90600== by 0x169D0B: cmd_check (main.c:10324)
==90600== by 0x11CDC6: cmd_execute (commands.h:125)
==90600== by 0x11D712: main (btrfs.c:386)
[CAUSE]
The problem happens like this:
deal_root_from_list(@list is empty)
|- stack @last is not initialized
|- while(!list_empty(list)) {} is skipped
|- run_next_block(&last);
|- pick_next_pending(*last);
|- node_start = last;
Since the stack @last is not initialized in deal_root_from_list(), the
final node_start = last assignment would just fetch the garbage from
stack.
[FIX]
Fix the problem by initializing @last to 0, as that's exactly what the
first while loop did.
Signed-off-by: Qu Wenruo <wqu@suse.com>
---
check/main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/check/main.c b/check/main.c
index b56255bc10a8..d8181249e394 100644
--- a/check/main.c
+++ b/check/main.c
@@ -8442,7 +8442,7 @@ static int deal_root_from_list(struct list_head *list,
struct device_extent_tree *dev_extent_cache)
{
int ret = 0;
- u64 last;
+ u64 last = 0;
while (!list_empty(list)) {
struct root_item_record *rec;
--
2.25.2
next prev parent reply other threads:[~2020-03-24 10:53 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-24 10:53 [PATCH 0/6] btrfs-progs: Fixes for valgrind errors during fsck-tests Qu Wenruo
2020-03-24 10:53 ` [PATCH 1/6] btrfs-progs: tests/common: Don't call INSTRUMENT on mount command Qu Wenruo
2020-03-24 10:53 ` Qu Wenruo [this message]
2020-03-24 10:53 ` [PATCH 3/6] btrfs-progs: check/original: Fix uninitialized memory for newly allocated data_backref Qu Wenruo
2020-03-24 10:53 ` [PATCH 4/6] btrfs-progs: check/original: Fix uninitialized return value from btrfs_write_dirty_block_groups() Qu Wenruo
2020-03-24 10:53 ` [PATCH 5/6] btrfs-progs: check/original: Fix uninitialized extent buffer contents Qu Wenruo
2020-03-24 10:53 ` [PATCH 6/6] btrfs-progs: extent-tree: Fix wrong post order rb tree cleanup for block groups Qu Wenruo
2020-03-25 14:42 ` [PATCH 0/6] btrfs-progs: Fixes for valgrind errors during fsck-tests David Sterba
2020-03-26 0:59 ` Qu Wenruo
2020-03-27 15:27 ` David Sterba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200324105315.136569-3-wqu@suse.com \
--to=wqu@suse.com \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox