On Fri, Sep 25, 2020 at 05:06:33PM +0800, Chao Yu wrote:
> Hi,
>
> I don't see any problem here, thanks for your report. :)
>
I bet the uninitialize value is because "max_depth" is zero.
352 struct f2fs_dir_entry *__f2fs_find_entry(struct inode *dir,
353 const struct f2fs_filename
*fname,
354 struct page **res_page)
^^^^^^^^
The stack trace says this isn't initialized.
355 {
356 unsigned long npages = dir_blocks(dir);
357 struct f2fs_dir_entry *de = NULL;
358 unsigned int max_depth;
359 unsigned int level;
360
361 if (f2fs_has_inline_dentry(dir)) {
362 *res_page = NULL;
363 de = f2fs_find_in_inline_dir(dir, fname, res_page);
364 goto out;
365 }
366
367 if (npages == 0) {
368 *res_page = NULL;
369 goto out;
370 }
371
372 max_depth = F2FS_I(dir)->i_current_depth;
373 if (unlikely(max_depth > MAX_DIR_HASH_DEPTH)) {
374 f2fs_warn(F2FS_I_SB(dir), "Corrupted max_depth of %lu:
%u",
375 dir->i_ino, max_depth);
376 max_depth = MAX_DIR_HASH_DEPTH;
377 f2fs_i_depth_write(dir, max_depth);
378 }
379
380 for (level = 0; level < max_depth; level++) {
^^^^^^^^^^^^^^^^^
If "max_depth" is zero, then we never enter this loop.
381 *res_page = NULL;
382 de = find_in_level(dir, level, fname, res_page);
383 if (de || IS_ERR(*res_page))
384 break;
385 }
386 out:
387 /* This is to increase the speed of f2fs_create */
388 if (!de)
389 F2FS_I(dir)->task = current;
390 return de;
Which means that we return a NULL "de" and "*res_page" is uninitialized
and that matches what syzbot found throug runtime testing.
391 }
regards,
dan carpenter
