Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp978649pxb; Wed, 3 Mar 2021 23:17:16 -0800 (PST) X-Google-Smtp-Source: ABdhPJx2SSSCeMiqsDdjUY1BGR3HGgKucdtVRHx56tu1jx9Y+iOE1jp18ijtzbbIMeGg7sJy0/1a X-Received: by 2002:a17:906:753:: with SMTP id z19mr2692810ejb.447.1614842236791; Wed, 03 Mar 2021 23:17:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614842236; cv=none; d=google.com; s=arc-20160816; b=KLqyorXUrTjtL/JL5ZCHJKHH7yfwmUMOyWM+CC6MKlbC3I+PBZ54usaB3ZeSuRG2tG 46OA4EyOOVLuIcJ1LLZBbYE16QeaZd2d7lIf1RIMphhiePPEdRd9wCIK/8MCPF3F1Mce qvPXFi+YKGscYBmjrWjtJDK3XmoDG2gP+mKT2b5y/AmlR4U01EEpXnlVd3sL0VuR0cuF m7BiLmBpY2SNqcI5zjvTKb4jQKy98mrUutY6xn6FVrYOTGOQmUC9dzUfWfXMosdMBpMl Ik0BEVvfzLPCcBx/56i9/w9Y5wwIuuX1CcwZbQ7NbX7zFOLJOND/zclFykVCEvKLJO6n rwnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :mime-version:user-agent:date:message-id:subject:cc:to:from; bh=NeTlkZk3hI/k7ou7Q2bN5AgN3kOgCc096l4kbFtHQP8=; b=U+mwy9cObxIXwhELHP5lhcP/rMhgLZ7FQlTFmjDW+jbpqFOQug8WDCvST4iz8hD7Hz hj1U5GRSZ/1MB3HeovisVMUwYJEBVD8+yUWkH4fGH/IrxzAbCWbvze8dpLwkdY45BqqW sWoJsRpLepHA3P3TZ9sPXga+ZP1vt3m+WvpwUts7TEaWqfae4ZkU4qm9z8NiZcfcpumc JNep5jGyLZgI5Y2KereVQ33zIJ5+SLoSGnHehz2Awos+SPmq6XejmO5T5HMXm0boZXBG WuUymeYPd2igkMxNkYGcckozEMI0CVeEfDAA4VVGcjmAgfHBPMzYdNgU4SjQL1CPaBxM 9d8g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p32si17660784edd.89.2021.03.03.23.16.54; Wed, 03 Mar 2021 23:17:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2360021AbhCBWP4 (ORCPT + 99 others); Tue, 2 Mar 2021 17:15:56 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:38010 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1582026AbhCBUH6 (ORCPT ); Tue, 2 Mar 2021 15:07:58 -0500 Received: from 1.general.cking.uk.vpn ([10.172.193.212]) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lHBIT-0008BB-AE; Tue, 02 Mar 2021 20:07:09 +0000 From: Colin Ian King To: Jaegeuk Kim , Changman Lee , Chao Yu , linux-f2fs-devel@lists.sourceforge.net Cc: "linux-kernel@vger.kernel.org" Subject: f2fs_convert_inline_inode causing rebalance based on random uninitialized value in dn.node_changed Message-ID: <9fcca081-9a60-8ae3-5cac-d8aa38c38ff2@canonical.com> Date: Tue, 2 Mar 2021 20:07:08 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, Static analysis on linux-next detected a potential uninitialized variable dn.node_changed that does not get set when a call to f2fs_get_node_page() fails. This uninitialized value gets used in the call to f2fs_balance_fs() that may or not may not balances dirty node and dentry pages depending on the uninitialized state of the variable. I believe the issue was introduced by commit: commit 2a3407607028f7c780f1c20faa4e922bf631d340 Author: Jaegeuk Kim Date: Tue Dec 22 13:23:35 2015 -0800 f2fs: call f2fs_balance_fs only when node was changed The analysis is a follows: 184 int f2fs_convert_inline_inode(struct inode *inode) 185 { 186 struct f2fs_sb_info *sbi = F2FS_I_SB(inode); 1. var_decl: Declaring variable dn without initializer. 187 struct dnode_of_data dn; NOTE dn is not initialized here. 188 struct page *ipage, *page; 189 int err = 0; 190 2. Condition !f2fs_has_inline_data(inode), taking false branch. 3. Condition f2fs_hw_is_readonly(sbi), taking false branch. 4. Condition f2fs_readonly(sbi->sb), taking false branch. 191 if (!f2fs_has_inline_data(inode) || 192 f2fs_hw_is_readonly(sbi) || f2fs_readonly(sbi->sb)) 193 return 0; 194 195 err = dquot_initialize(inode); 5. Condition err, taking false branch. 196 if (err) 197 return err; 198 199 page = f2fs_grab_cache_page(inode->i_mapping, 0, false); 6. Condition !page, taking false branch. 200 if (!page) 201 return -ENOMEM; 202 203 f2fs_lock_op(sbi); 204 205 ipage = f2fs_get_node_page(sbi, inode->i_ino); 7. Condition IS_ERR(ipage), taking true branch. 206 if (IS_ERR(ipage)) { 207 err = PTR_ERR(ipage); 8. Jumping to label out. 208 goto out; 209 } 210 NOTE: set_new_dnode memset's dn so sets the flag to false, but we don't get to this memset if IS_ERR(ipage) above is true. 211 set_new_dnode(&dn, inode, ipage, ipage, 0); 212 213 if (f2fs_has_inline_data(inode)) 214 err = f2fs_convert_inline_page(&dn, page); 215 216 f2fs_put_dnode(&dn); 217 out: 218 f2fs_unlock_op(sbi); 219 220 f2fs_put_page(page, 1); 221 Uninitialized scalar variable: 9. uninit_use_in_call: Using uninitialized value dn.node_changed when calling f2fs_balance_fs. 222 f2fs_balance_fs(sbi, dn.node_changed); 223 224 return err; 225 } I think a suitable fix will be to set dn.node_changed to false on in line 207-208 but I'm concerned if I'm missing something subtle to the rebalancing if I do this. Comments? Colin