[PATCH] xfs: zero newly allocated btree root space

From: Yousef Alhouseen

Date: Sun Jun 28 2026 - 05:48:50 EST


xfs_broot_realloc() preserves the existing in-inode btree root while
growing its allocation, but leaves the added bytes uninitialized. The
inode log formatter copies if_broot_bytes bytes into the journal, so those
bytes reach the log record and its CRC calculation before every location
has necessarily been overwritten by btree updates.

Clear the newly allocated tail immediately after a successful growth to
keep stale heap contents out of the filesystem log.

Fixes: 6c1c55ac3c05 ("xfs: refactor the inode fork memory allocation functions")
Reported-by: syzbot+97f2c05378c5d68dcb8c@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=97f2c05378c5d68dcb8c
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
fs/xfs/libxfs/xfs_inode_fork.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/fs/xfs/libxfs/xfs_inode_fork.c b/fs/xfs/libxfs/xfs_inode_fork.c
index 606a36526ce2..0d81c78f5afe 100644
--- a/fs/xfs/libxfs/xfs_inode_fork.c
+++ b/fs/xfs/libxfs/xfs_inode_fork.c
@@ -398,6 +398,8 @@ xfs_broot_realloc(
struct xfs_ifork *ifp,
size_t new_size)
{
+ size_t old_size = ifp->if_broot_bytes;
+
/* No size change? No action needed. */
if (new_size == ifp->if_broot_bytes)
return ifp->if_broot;
@@ -430,6 +432,7 @@ xfs_broot_realloc(
*/
ifp->if_broot = krealloc(ifp->if_broot, new_size,
GFP_KERNEL | __GFP_NOFAIL);
+ memset((char *)ifp->if_broot + old_size, 0, new_size - old_size);
ifp->if_broot_bytes = new_size;
return ifp->if_broot;
}
--
2.54.0