On Fri, Sep 25, 2020 at 05:06:33PM +0800, Chao Yu wrote: > Hi, > > I don't see any problem here, thanks for your report. :) >
I bet the uninitialize value is because "max_depth" is zero. 352 struct f2fs_dir_entry *__f2fs_find_entry(struct inode *dir, 353 const struct f2fs_filename *fname, 354 struct page **res_page) ^^^^^^^^ The stack trace says this isn't initialized. 355 { 356 unsigned long npages = dir_blocks(dir); 357 struct f2fs_dir_entry *de = NULL; 358 unsigned int max_depth; 359 unsigned int level; 360 361 if (f2fs_has_inline_dentry(dir)) { 362 *res_page = NULL; 363 de = f2fs_find_in_inline_dir(dir, fname, res_page); 364 goto out; 365 } 366 367 if (npages == 0) { 368 *res_page = NULL; 369 goto out; 370 } 371 372 max_depth = F2FS_I(dir)->i_current_depth; 373 if (unlikely(max_depth > MAX_DIR_HASH_DEPTH)) { 374 f2fs_warn(F2FS_I_SB(dir), "Corrupted max_depth of %lu: %u", 375 dir->i_ino, max_depth); 376 max_depth = MAX_DIR_HASH_DEPTH; 377 f2fs_i_depth_write(dir, max_depth); 378 } 379 380 for (level = 0; level < max_depth; level++) { ^^^^^^^^^^^^^^^^^ If "max_depth" is zero, then we never enter this loop. 381 *res_page = NULL; 382 de = find_in_level(dir, level, fname, res_page); 383 if (de || IS_ERR(*res_page)) 384 break; 385 } 386 out: 387 /* This is to increase the speed of f2fs_create */ 388 if (!de) 389 F2FS_I(dir)->task = current; 390 return de; Which means that we return a NULL "de" and "*res_page" is uninitialized and that matches what syzbot found throug runtime testing. 391 } regards, dan carpenter