On Thu, Feb 13, 2020 at 05:53:59PM +0800, Zheng Bin wrote: > We recently used fuzz(hydra) to test XFS and automatically generate > tmp.img(XFS v5 format, but some metadata is wrong) > > Test as follows: > mount tmp.img tmpdir > cp file1M tmpdir > sync > > tmpdir/file1M size is 1M, but its data can not sync to disk. > > This is because tmp.img has some problems, using xfs_repair detect > information as follows: > > agf_freeblks 0, counted 3224 in ag 0 > agf_longest 536874136, counted 3224 in ag 0 > sb_fdblocks 613, counted 3228 > > Add these agf freeblocks checks: > 1. agf_longest < agf_freeblks > 2. agf_freeblks < sb_fdblocks Did you audit the other fields in the AGF to see if they were adequately bounds checked by xfs_agf_verify()? A quick look at struct xfs_agf and xfs_agf_verify() indicates that agf_length, agf_rmap_blocks and agf_refcount_blocks are not bounds checked, either. And agf_spare64 and agf_spare2 are not checked for being zero.... Cheers, Dave. -- Dave Chinner david@xxxxxxxxxxxxx
