On Mon, Sep 07, 2020 at 10:52:10AM -0700, Darrick J. Wong wrote: > From: Darrick J. Wong <darrick.wong@xxxxxxxxxx> > > The goal of process_sf_dir2_fixi8 is to convert an i8 shortform > directory into a (shorter) i4 shortform directory. It achieves this by > duplicating the old sf directory contents (as oldsfp), zeroing i8count > in the caller's directory buffer (i.e. newsfp/sfp), and reinitializing > the new directory with the old directory's entries. > > Unfortunately, it copies the parent pointer from sfp (the buffer we've > already started changing), not oldsfp. This leads to directory > corruption since at that point we zeroed i8count, which means that we > save only the upper four bytes from the parent pointer entry. > > This was found by fuzzing u3.sfdir3.hdr.i8count = ones in xfs/384. Looks good, Reviewed-by: Christoph Hellwig <hch@xxxxxx>
