diff --git a/0009-xfs_repair-don-t-crash-in-get_inode_parent.patch b/0009-xfs_repair-don-t-crash-in-get_inode_parent.patch new file mode 100644 index 0000000000000000000000000000000000000000..a7b52f273867459bd62f5a9967f1b00cddabad6c --- /dev/null +++ b/0009-xfs_repair-don-t-crash-in-get_inode_parent.patch @@ -0,0 +1,92 @@ +From cb62b887de3ece222933c4b6033c8fac87702501 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Tue, 1 Oct 2024 18:26:02 -0700 +Subject: xfs_repair: don't crash in get_inode_parent + +The xfs_repair fuzz test suite encountered a crash in xfs_repair. In +the fuzzed filesystem, inode 8388736 is a single-block directory where +the one dir data block has been trashed. This inode maps to agno 1 +agino 128, and all other inodes in that inode chunk are regular files. +Output is as follows: + +Phase 1 - find and verify superblock... +Phase 2 - using internal log + - zero log... + - scan filesystem freespace and inode maps... + - found root inode chunk +Phase 3 - for each AG... + - scan (but don't clear) agi unlinked lists... + - process known inodes and perform inode discovery... + - agno = 0 + - agno = 1 +Metadata corruption detected at 0x565335fbd534, xfs_dir3_block block 0x4ebc78/0x1000 +corrupt directory block 0 for inode 8388736 +no . entry for directory 8388736 +no .. entry for directory 8388736 +problem with directory contents in inode 8388736 +would have cleared inode 8388736 + - agno = 2 + - agno = 3 + - process newly discovered inodes... +Phase 4 - check for duplicate blocks... + - setting up duplicate extent list... + - check for inodes claiming duplicate blocks... + - agno = 0 +entry "S_IFDIR.FMT_BLOCK" at block 0 offset 1728 in directory inode 128 references free inode 8388736 + would clear inode number in entry at offset 1728... + - agno = 1 +entry "." at block 0 offset 64 in directory inode 8388736 references free inode 8388736 +imap claims in-use inode 8388736 is free, would correct imap + - agno = 2 + - agno = 3 +No modify flag set, skipping phase 5 +Phase 6 - check inode connectivity... + - traversing filesystem ... +./common/xfs: line 387: 84940 Segmentation fault (core dumped) $XFS_REPAIR_PROG $SCRATCH_OPTIONS $* $SCRATCH_DEV + +From the coredump, we crashed in get_inode_parent here because ptbl is a +NULL pointer: + + if (ptbl->pmask & (1ULL << offset)) { + +Directory inode 8388736 doesn't have a dotdot entry and phase 3 decides +to clear that inode, so it never calls set_inode_parent for 8388736. +Because the rest of the inodes in the chunk are regular files, phase 3 +never calls set_inode_parent on the corresponding irec. As a result, +neither irec->ino_un.plist nor irec->ino_un.ex_data->parents are ever +set to a parents array. + +When phase 6 calls get_inode_parent to check the S_IFDIR.FMT_BLOCK +dirent from the root directory to inode 8388736, it sets ptbl to +irec->ino_un.ex_data->parents (which is still NULL) and walks off the +NULL pointer. + +Because get_inode_parent already has the behavior that it can return +zero for "unknown parent", the correction is simple: check ptbl before +dereferencing it. git blame says this code has been in xfsprogs since +the beginning of git, so I won't bother with a fixes tag. + +Found by fuzzing bhdr.hdr.bno = zeroes in xfs/386. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +--- + repair/incore_ino.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/repair/incore_ino.c b/repair/incore_ino.c +index 0dd7a2f..83d5320 100644 +--- a/repair/incore_ino.c ++++ b/repair/incore_ino.c +@@ -710,7 +710,7 @@ get_inode_parent(ino_tree_node_t *irec, int offset) + else + ptbl = irec->ino_un.plist; + +- if (ptbl->pmask & (1ULL << offset)) { ++ if (ptbl && (ptbl->pmask & (1ULL << offset))) { + bitmask = 1ULL; + target = 0; + +-- +2.43.0 + diff --git a/xfsprogs.spec b/xfsprogs.spec index 38ca0b30fd51330d48dd6b1fee68610ebf5ea617..d2d438e73da6cb2df442eb3818fa65b3cc2cb13c 100644 --- a/xfsprogs.spec +++ b/xfsprogs.spec @@ -1,6 +1,6 @@ Name: xfsprogs Version: 6.6.0 -Release: 9 +Release: 10 Summary: Administration and debugging tools for the XFS file system License: GPL-1.0-or-later AND LGPL-2.1-or-later URL: https://xfs.wiki.kernel.org @@ -27,6 +27,7 @@ Patch5: 0005-xfs_db-add-helper-for-flist_find_type-for-clearer-fi.patch Patch6: 0006-xfs_io-fix-mread-with-length-1-mod-page-size.patch Patch7: 0007-xfs_scrub-don-t-call-phase_end-if-phase_rusage-was-n.patch Patch8: 0008-xfsprogs-link-with-icu-uc.patch +Patch9: 0009-xfs_repair-don-t-crash-in-get_inode_parent.patch %description xfsprogs are the userspace utilities that manage XFS filesystems. @@ -99,6 +100,10 @@ rm -rf %{buildroot}%{_datadir}/doc/xfsprogs/ %exclude %{_mandir}/man8/xfs_scrub* %changelog +* Fri Aug 29 2025 liuh - 6.6.0-10 +- sync patch from community + xfs_repair: don't crash in get_inode_parent + * Tue Jul 01 2025 Wangmian - 6.6.0-9 - Fixed bug for macros in Changelog