Re: [PATCH] xfs: zero newly allocated btree root space
From: Darrick J. Wong
Date: Mon Jun 29 2026 - 16:40:12 EST
On Sun, Jun 28, 2026 at 11:47:48AM +0200, Yousef Alhouseen wrote:
> xfs_broot_realloc() preserves the existing in-inode btree root while
> growing its allocation, but leaves the added bytes uninitialized. The
> inode log formatter copies if_broot_bytes bytes into the journal, so those
> bytes reach the log record and its CRC calculation before every location
> has necessarily been overwritten by btree updates.
>
> Clear the newly allocated tail immediately after a successful growth to
> keep stale heap contents out of the filesystem log.
>
> Fixes: 6c1c55ac3c05 ("xfs: refactor the inode fork memory allocation functions")
> Reported-by: syzbot+97f2c05378c5d68dcb8c@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=97f2c05378c5d68dcb8c
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
> ---
> fs/xfs/libxfs/xfs_inode_fork.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/xfs/libxfs/xfs_inode_fork.c b/fs/xfs/libxfs/xfs_inode_fork.c
> index 606a36526ce2..0d81c78f5afe 100644
> --- a/fs/xfs/libxfs/xfs_inode_fork.c
> +++ b/fs/xfs/libxfs/xfs_inode_fork.c
> @@ -398,6 +398,8 @@ xfs_broot_realloc(
> struct xfs_ifork *ifp,
> size_t new_size)
> {
> + size_t old_size = ifp->if_broot_bytes;
> +
> /* No size change? No action needed. */
> if (new_size == ifp->if_broot_bytes)
> return ifp->if_broot;
> @@ -430,6 +432,7 @@ xfs_broot_realloc(
> */
> ifp->if_broot = krealloc(ifp->if_broot, new_size,
> GFP_KERNEL | __GFP_NOFAIL);
> + memset((char *)ifp->if_broot + old_size, 0, new_size - old_size);
Why doesn't GFP_ZERO work to clear the new memory?
--D
> ifp->if_broot_bytes = new_size;
> return ifp->if_broot;
> }
> --
> 2.54.0
>
>