From nobody Tue Dec  2 02:19:59 2025
Received: from mail-qt1-f181.google.com (mail-qt1-f181.google.com
 [209.85.160.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 29E152D738A
	for <linux-kernel@vger.kernel.org>; Wed, 19 Nov 2025 15:40:00 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.160.181
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1763566803; cv=none;
 b=ScMt76FLsxmdmRrbtP7j+9aijKDCXHb5jFYATugeF2tCz8b46ovFp0m5nnU/gmIMHw0r2FgHp6wpGoE1PVvbxJTOjzFQDFfOhzleE9uf7tQLmWm8IAgoPSvqdOyunTuY+Rn9IsIGNQ8EkkV7kScvV6zzKnYDbKsgklP2O6nv15Y=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1763566803; c=relaxed/simple;
	bh=+yDP7vHuHZabaqvWKih93fJjCuuATDc1fsyBE+gWZu8=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=lcztC3BQt5Qe/zK9HdVD5VQya0SFkuVdhiukJxNy5oPSDIMwKjzj1M5BgvlRCKHqGPyNiI7EKV5jezQwKN/Js/2IaeETmIK5ZPK5eo3X9CExvIkHbeKV11sfO9nitREp01Bs6fBUeROP0/nKDG/9wj1ft9zna4t0e9FtoeKSmtg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=gWakmFvY; arc=none smtp.client-ip=209.85.160.181
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="gWakmFvY"
Received: by mail-qt1-f181.google.com with SMTP id
 d75a77b69052e-4eda26a04bfso77407211cf.2
        for <linux-kernel@vger.kernel.org>;
 Wed, 19 Nov 2025 07:40:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1763566800; x=1764171600;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=dkO6OIHDEaOQOyMckBl5bOgZ0VGVIhNhceKFziBTYy4=;
        b=gWakmFvYA5UBOvGdDKLGgWJ4reVskOYoXUs4t3MbLtrAp5gRew77S0rZNhoD6MH/rZ
         wB/vlBxOP3JT6bLFfkeYzbGT3dkME6B4Jz6/lMezhLlxtAm9y/e0VlPz6fFI1fPVfYl+
         3KZ059WlcfHZ4KwHYVw79qTEJAS6rdypORllChyEcdEL3oth4Kmmja5++lyIElbE/wpF
         cgpz0PE5/IQQkdKMtov/JpqdcWC/p/eLdQdnwHOulgJD36NvQvVIEO5iTYX6YDCgRAbt
         lJb4D4tcorb0U8+NoDoG5J37nB6ne1fo8pmn3UMHCLR1C3M5+HntHBznd6N2SuzCqFgd
         BqMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1763566800; x=1764171600;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=dkO6OIHDEaOQOyMckBl5bOgZ0VGVIhNhceKFziBTYy4=;
        b=eLe0EjFYLhWyN5s0XK7JnXD/TAVK2M5BbBttJgLsAVXpv4jv91Boxtq5+3eWhKfJBF
         ExXp1wD/Ked/C9zzHyUh0+NXiTVwr2FNyMlT45T8X/hwkyUQgQQxPVhQmy6bexIgXmj4
         3oPZBiscz7YZs9r+L4TKOSQkIQvLt/P+Jo3WTDRvlVvllmoLGGgEfHt9ewl0ggwFZLrb
         YekkCvyk+ljQARczEokKtju46o/n0xzNnxJZUKluD2y7HiaKreyQ06Uil8jY0K+1BY5U
         1xa3pg7bAs4SOxwfbBuEzE+tzuLKIOzSRAtB+cFFA+SXmZBsFUO24AkqXubtfquA637n
         1n5g==
X-Forwarded-Encrypted: i=1;
 AJvYcCV/adQnI0L/DjVLCquZLW7v1NrGq/LkVbv/GtN9CorVMBxqiY/vPKwQ7RNvw9YdkCFDanfDnA+7ZpKLESo=@vger.kernel.org
X-Gm-Message-State: AOJu0Yzqb7eoY/u90ZUvel0oMHirg1p9r1yzmh86vLgcnHHiT0J1tSCt
	EVTfEBsTwqffkkNqXlWO1gxySL26974ugIyU+2zi3ux7xnI7HHhY7vmX
X-Gm-Gg: ASbGncvhQB8JklvIPriZ204g4KxB5xp/OY652xyqa7IL4PfY/BKcldt59NGBFKJf8Cn
	dHYo9g835L6DKozP6QzNjGSg174Q0dhkxrHWtrOe2dRJ6I5Gbbk+3kU48yuctLOaqG/zq++cxR7
	out7mdIIuYL/nwX+wpGD/PD97ZvSo/ElSN9pe86OwZWOu+jED4+JHJrdmh2GURxJ3WQMz/cH0h5
	YSpPrXe5q1mOx4DlwXS25AOsP+rq+OZ3O4cSxpjKOSWv4GTAiBzLAF93ijd0qXKvfVBcNuqmewK
	J8Al1w9Ql8QTEv0s6GhA1H7gSuHm1+lCGitCcPloFe/JGYWpdkwvTQaNtkbPMfe9lFFCNvK06hU
	vt5IbT+vI/PtCD6TZfD8ZSKGUOTaRX/udY9OM0XIpiZ4iWwczURCoFSHZ2Hix71YVuJzpcMEJB8
	pCeSMVjvouizLeORi2NZVeuGGVAHL4Sj4=
X-Google-Smtp-Source: 
 AGHT+IH4MOUKy5wRlExiOws0XrrPOkWoG7npYHydd6YPsYrrwJLdVB9xwxhCMW3280EGtqPgG2xmMg==
X-Received: by 2002:ac8:5d4d:0:b0:4ed:6e70:1ac4 with SMTP id
 d75a77b69052e-4edf212f37fmr270692441cf.42.1763566799989;
        Wed, 19 Nov 2025 07:39:59 -0800 (PST)
Received: from rpthibeault-XPS-13-9305.. ([23.233.177.113])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-882862ce5e6sm137057526d6.10.2025.11.19.07.39.59
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 19 Nov 2025 07:39:59 -0800 (PST)
From: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
To: cem@kernel.org
Cc: chandanbabu@kernel.org,
	djwong@kernel.org,
	bfoster@redhat.com,
	david@fromorbit.com,
	linux-xfs@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	linux-kernel-mentees@lists.linux.dev,
	syzbot+9f6d080dece587cfdd4c@syzkaller.appspotmail.com,
	Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
Subject: [PATCH v4] xfs: validate log record version against superblock log
 version
Date: Wed, 19 Nov 2025 10:37:22 -0500
Message-ID: <20251119153721.2765700-2-rpthibeault@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <aRzU0yjBfQ3CjWpp@dread.disaster.area>
References: <aRzU0yjBfQ3CjWpp@dread.disaster.area>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Syzbot creates a fuzzed record where xfs_has_logv2() but the
xlog_rec_header h_version !=3D XLOG_VERSION_2. This causes a
KASAN: slab-out-of-bounds read in xlog_do_recovery_pass() ->
xlog_recover_process() -> xlog_cksum().

Fix by adding a check to xlog_valid_rec_header() to abort journal
recovery if the xlog_rec_header h_version does not match the super
block log version.

A file system with a version 2 log will only ever set
XLOG_VERSION_2 in its headers (and v1 will only ever set V_1), so if
there is any mismatch, either the journal or the superblock has been
corrupted and therefore we abort processing with a -EFSCORRUPTED error
immediately.

Also, refactor the structure of the validity checks for better
readability. At the default error level (LOW), XFS_IS_CORRUPT() emits
the condition that failed, the file and line number it is
located at, then dumps the stack. This gives us everything we need
to know about the failure if we do a single validity check per
XFS_IS_CORRUPT().

Reported-by: syzbot+9f6d080dece587cfdd4c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3D9f6d080dece587cfdd4c
Tested-by: syzbot+9f6d080dece587cfdd4c@syzkaller.appspotmail.com
Fixes: 45cf976008dd ("xfs: fix log recovery buffer allocation for the legac=
y h_size fixup")
Signed-off-by: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
---
changelog
v1 -> v2:=20
- reject the mount for h_size > XLOG_HEADER_CYCLE_SIZE && !XLOG_VERSION_2
v2 -> v3:=20
- abort journal recovery if the xlog_rec_header h_version does not=20
match the super block log version
v3 -> v4:=20
- refactor for readability

 fs/xfs/xfs_log_recover.c | 31 ++++++++++++++++++++-----------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c
index e6ed9e09c027..f5f28755b2ff 100644
--- a/fs/xfs/xfs_log_recover.c
+++ b/fs/xfs/xfs_log_recover.c
@@ -2950,31 +2950,40 @@ xlog_valid_rec_header(
 	xfs_daddr_t		blkno,
 	int			bufsize)
 {
+	struct xfs_mount	*mp =3D log->l_mp;
+	u32			h_version =3D be32_to_cpu(rhead->h_version);
 	int			hlen;
=20
-	if (XFS_IS_CORRUPT(log->l_mp,
+	if (XFS_IS_CORRUPT(mp,
 			   rhead->h_magicno !=3D cpu_to_be32(XLOG_HEADER_MAGIC_NUM)))
 		return -EFSCORRUPTED;
-	if (XFS_IS_CORRUPT(log->l_mp,
-			   (!rhead->h_version ||
-			   (be32_to_cpu(rhead->h_version) &
-			    (~XLOG_VERSION_OKBITS))))) {
-		xfs_warn(log->l_mp, "%s: unrecognised log version (%d).",
-			__func__, be32_to_cpu(rhead->h_version));
+
+	if (XFS_IS_CORRUPT(mp, !h_version))
 		return -EFSCORRUPTED;
-	}
+	if (XFS_IS_CORRUPT(mp, (h_version & ~XLOG_VERSION_OKBITS)))
+		return -EFSCORRUPTED;
+
+	/*
+	 * the log version is known, but must match the superblock log
+	 * version feature bits for the header to be considered valid
+	 */
+	if (xfs_has_logv2(mp)) {
+		if (XFS_IS_CORRUPT(mp, !(h_version & XLOG_VERSION_2)))
+			return -EFSCORRUPTED;
+	} else if (XFS_IS_CORRUPT(mp, !(h_version & XLOG_VERSION_1)))
+			return -EFSCORRUPTED;
=20
 	/*
 	 * LR body must have data (or it wouldn't have been written)
 	 * and h_len must not be greater than LR buffer size.
 	 */
 	hlen =3D be32_to_cpu(rhead->h_len);
-	if (XFS_IS_CORRUPT(log->l_mp, hlen <=3D 0 || hlen > bufsize))
+	if (XFS_IS_CORRUPT(mp, hlen <=3D 0 || hlen > bufsize))
 		return -EFSCORRUPTED;
=20
-	if (XFS_IS_CORRUPT(log->l_mp,
-			   blkno > log->l_logBBsize || blkno > INT_MAX))
+	if (XFS_IS_CORRUPT(mp, blkno > log->l_logBBsize || blkno > INT_MAX))
 		return -EFSCORRUPTED;
+
 	return 0;
 }
=20
--=20
2.43.0