if (ptbl->pmask & (1ULL << offset)) {
Directory inode 8388736 doesn't have a dotdot entry and phase 3 decides
to clear that inode, so it never calls set_inode_parent for 8388736.
Because the rest of the inodes in the chunk are regular files, phase 3
never calls set_inode_parent on the corresponding irec. As a result,
neither irec->ino_un.plist nor irec->ino_un.ex_data->parents are ever
set to a parents array.
When phase 6 calls get_inode_parent to check the S_IFDIR.FMT_BLOCK
dirent from the root directory to inode 8388736, it sets ptbl to
irec->ino_un.ex_data->parents (which is still NULL) and walks off the
NULL pointer.
Because get_inode_parent already has the behavior that it can return
zero for "unknown parent", the correction is simple: check ptbl before
dereferencing it. git blame says this code has been in xfsprogs since
the beginning of git, so I won't bother with a fixes tag.
Found by fuzzing bhdr.hdr.bno = zeroes in xfs/386.
Signed-off-by: Darrick J. Wong <djwong@xxxxxxxxxx>
---
repair/incore_ino.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/repair/incore_ino.c b/repair/incore_ino.c
index 6618e534a..158e9b498 100644
--- a/repair/incore_ino.c
+++ b/repair/incore_ino.c
@@ -714,7 +714,7 @@ get_inode_parent(ino_tree_node_t *irec, int offset)
else
ptbl = irec->ino_un.plist;
- if (ptbl->pmask & (1ULL << offset)) {
+ if (ptbl && (ptbl->pmask & (1ULL << offset))) {
bitmask = 1ULL;
target = 0;
