Re: [PATCH] xfs: zero newly allocated btree root space

From: Yousef Alhouseen

Date: Tue Jun 30 2026 - 06:05:44 EST


It can, but krealloc() requires __GFP_ZERO on the initial allocation
and every subsequent allocation/reallocation of the object. I missed
that requirement here.

I'll send v2 using __GFP_ZERO consistently in xfs_broot_alloc() and
all allocation paths in xfs_broot_realloc(), instead of the explicit
memset.

Thanks,
Yousef

On Mon, 29 Jun 2026 13:39:59 -0700, "Darrick J. Wong" <djwong@xxxxxxxxxx> wrote:
> On Sun, Jun 28, 2026 at 11:47:48AM +0200, Yousef Alhouseen wrote:
> > xfs_broot_realloc() preserves the existing in-inode btree root while
> > growing its allocation, but leaves the added bytes uninitialized. The
> > inode log formatter copies if_broot_bytes bytes into the journal, so those
> > bytes reach the log record and its CRC calculation before every location
> > has necessarily been overwritten by btree updates.
> >
> > Clear the newly allocated tail immediately after a successful growth to
> > keep stale heap contents out of the filesystem log.
> >
> > Fixes: 6c1c55ac3c05 ("xfs: refactor the inode fork memory allocation functions")
> > Reported-by: syzbot+97f2c05378c5d68dcb8c@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Closes: https://syzkaller.appspot.com/bug?extid=97f2c05378c5d68dcb8c
> > Cc: stable@xxxxxxxxxxxxxxx
> > Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
> > ---
> > fs/xfs/libxfs/xfs_inode_fork.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/fs/xfs/libxfs/xfs_inode_fork.c b/fs/xfs/libxfs/xfs_inode_fork.c
> > index 606a36526ce2..0d81c78f5afe 100644
> > --- a/fs/xfs/libxfs/xfs_inode_fork.c
> > +++ b/fs/xfs/libxfs/xfs_inode_fork.c
> > @@ -398,6 +398,8 @@ xfs_broot_realloc(
> > struct xfs_ifork *ifp,
> > size_t new_size)
> > {
> > + size_t old_size = ifp->if_broot_bytes;
> > +
> > /* No size change? No action needed. */
> > if (new_size == ifp->if_broot_bytes)
> > return ifp->if_broot;
> > @@ -430,6 +432,7 @@ xfs_broot_realloc(
> > */
> > ifp->if_broot = krealloc(ifp->if_broot, new_size,
> > GFP_KERNEL | __GFP_NOFAIL);
> > + memset((char *)ifp->if_broot + old_size, 0, new_size - old_size);
>
> Why doesn't GFP_ZERO work to clear the new memory?
>
> --D
>
> > ifp->if_broot_bytes = new_size;
> > return ifp->if_broot;
> > }
> > --
> > 2.54.0
> >
> >