From: Qu Wenruo <wqu@suse.com>
To: linux-btrfs@vger.kernel.org
Subject: [PATCH 2/6] btrfs-progs: check/original: Fix uninitialized stack memory access for deal_root_from_list()
Date: Tue, 24 Mar 2020 18:53:11 +0800 [thread overview]
Message-ID: <20200324105315.136569-3-wqu@suse.com> (raw)
In-Reply-To: <20200324105315.136569-1-wqu@suse.com>
[BUG]
With valgrind, fsck/002 test with original mode would report the
following valgrind error:
==90600== Conditional jump or move depends on uninitialised value(s)
==90600== at 0x15C280: pick_next_pending (main.c:4949)
==90600== by 0x15F3CF: run_next_block (main.c:6175)
==90600== by 0x1655CC: deal_root_from_list (main.c:8486)
==90600== by 0x1660C7: check_chunks_and_extents (main.c:8762)
==90600== by 0x166439: do_check_chunks_and_extents (main.c:8842)
==90600== by 0x169D0B: cmd_check (main.c:10324)
==90600== by 0x11CDC6: cmd_execute (commands.h:125)
==90600== by 0x11D712: main (btrfs.c:386)
[CAUSE]
The problem happens like this:
deal_root_from_list(@list is empty)
|- stack @last is not initialized
|- while(!list_empty(list)) {} is skipped
|- run_next_block(&last);
|- pick_next_pending(*last);
|- node_start = last;
Since the stack @last is not initialized in deal_root_from_list(), the
final node_start = last assignment would just fetch the garbage from
stack.
[FIX]
Fix the problem by initializing @last to 0, as that's exactly what the
first while loop did.
Signed-off-by: Qu Wenruo <wqu@suse.com>
---
check/main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/check/main.c b/check/main.c
index b56255bc10a8..d8181249e394 100644
--- a/check/main.c
+++ b/check/main.c
@@ -8442,7 +8442,7 @@ static int deal_root_from_list(struct list_head *list,
struct device_extent_tree *dev_extent_cache)
{
int ret = 0;
- u64 last;
+ u64 last = 0;
while (!list_empty(list)) {
struct root_item_record *rec;
--
2.25.2
next prev parent reply other threads:[~2020-03-24 10:53 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-24 10:53 [PATCH 0/6] btrfs-progs: Fixes for valgrind errors during fsck-tests Qu Wenruo
2020-03-24 10:53 ` [PATCH 1/6] btrfs-progs: tests/common: Don't call INSTRUMENT on mount command Qu Wenruo
2020-03-24 10:53 ` Qu Wenruo [this message]
2020-03-24 10:53 ` [PATCH 3/6] btrfs-progs: check/original: Fix uninitialized memory for newly allocated data_backref Qu Wenruo
2020-03-24 10:53 ` [PATCH 4/6] btrfs-progs: check/original: Fix uninitialized return value from btrfs_write_dirty_block_groups() Qu Wenruo
2020-03-24 10:53 ` [PATCH 5/6] btrfs-progs: check/original: Fix uninitialized extent buffer contents Qu Wenruo
2020-03-24 10:53 ` [PATCH 6/6] btrfs-progs: extent-tree: Fix wrong post order rb tree cleanup for block groups Qu Wenruo
2020-03-25 14:42 ` [PATCH 0/6] btrfs-progs: Fixes for valgrind errors during fsck-tests David Sterba
2020-03-26 0:59 ` Qu Wenruo
2020-03-27 15:27 ` David Sterba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200324105315.136569-3-wqu@suse.com \
--to=wqu@suse.com \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.