From nobody Tue Dec  2 00:26:21 2025
Received: from mail-qv1-f53.google.com (mail-qv1-f53.google.com
 [209.85.219.53])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6CECA2C1596
	for <linux-kernel@vger.kernel.org>; Mon, 24 Nov 2025 17:53:16 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.219.53
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1764006798; cv=none;
 b=chWIB8MK9uFTZN7DhqAQEmKycrpgW82PLTyqdIzoF6S3Fnm/4m+OOfJzNY3Irf6LIKp/Sn3pS+Utew/ybR8OniJyJ7oEs+n602jfk4IP1mm3nc5EpjI/aWZ0uHehyXPe5Yf9XvX1xmE/52ZAzM4LA/1AAdPSEOaiN9xpKc4XqyI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1764006798; c=relaxed/simple;
	bh=bBWF8rPKKMglK7OceS8v1RN30lLKUQ1GD0/J7LhaqAc=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=Q0FtChDPVDBFavMDDyf2VJI/ZLVuOQcs6aQrnslFY5ic6N0hT+ZOcoKYFjLV/l+SQ9O72O9xznj519u1nFAfoQWvuLCa0Ig1NNoXsozPU1Ls8++dN7f/I+E0LJrutW/2atDPqZGdxSfTsEQnPACUqx6FXfQBE3Hxs+7t9mYD3mQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=ZiVTdSYg; arc=none smtp.client-ip=209.85.219.53
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="ZiVTdSYg"
Received: by mail-qv1-f53.google.com with SMTP id
 6a1803df08f44-8804f1bd6a7so43255896d6.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 24 Nov 2025 09:53:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1764006795; x=1764611595;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=LURuhpVUuY1JHDBVH0tH7eUgzbVsxd/8tIMD/zbq7mI=;
        b=ZiVTdSYgfCR40FmZDiWRMTfAny9OnIHJMSsN8OtaSpesXoRHrUZGehwiDneYOXfGAU
         kSYTHGE3HVRr/1tLg8S2MEU9OJPcmKnAGVI+TmQqnQgct/0drbV1HRoydVeOgFNuIcqY
         5hRlCbQtLpkbtkiVlHXktne85hJt/eNH2yOuulWHkIsrPC9uHN6pufLPHxZk9ljbSxcd
         EZ/j87lF9Q+g9mM0mm2dLm4ZnXVl94Vb0HFVHgxz61eLlpvxcmZOKDskD25HFn+EqCGU
         hnQ77egJbcQTLfH+YuwpyQNp7n3nK+Ii7vgjg/Hl7LtkosHQ9R7h2YVhWtKsKJQwy881
         SwgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764006795; x=1764611595;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=LURuhpVUuY1JHDBVH0tH7eUgzbVsxd/8tIMD/zbq7mI=;
        b=hLg8dTJgoB3aAPAmGNF6Z70mhNCVa++3iveZrGHTR41Rhee8nhY8mXio++hu4hLmEh
         dDd2j4NqyeonwxcedHTkYhMRSU8cnsE/qQ3MOhv7tKXggSAF+ckRQlYEx23SBM8ZnjeF
         2V2puA1Um6EyqVt48BbPPru9Xu0hRF4IRO2UhhCX8vTpzkTToULIn/VEj0SfempbwQGM
         7Bp68CSw81USR2LiTr9S7htiS5cbFIRpCakMLhIsZhcDk7Dxvh3Ya7WzmtbR2RDD6p6p
         i3+ct3lo/1OuHdrF1rucIkK+aNMXfwwrTVjjMv3UySCrDNVJFHSDLLJsHieIkarlHdw5
         J4jQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCUNkm0kE5T7uVY1jtliV9UHHiyVLNxtPWXmY8cBnnHZ8+kKV5d/mUUwmIkdE9QlHPSK6xmWFlRaU5fNK6k=@vger.kernel.org
X-Gm-Message-State: AOJu0YxeIDWSkj4fqJHyUMyinRi/TgewDPNb/FKObHJDAnG4wMDNlokP
	xosZ7h1YOv9rqASGZUDaCtU3dAQELNcxbYDtkx/rv7nLNw5kEKlmIelp
X-Gm-Gg: ASbGncuY0qaLlvGwkdbgCzN+cU2ogI9ojHhQm0RWQljUdX/KcmtmxwJlfghQ5ApEDx4
	qa6rf+gFhE1wUfIyri8u5wlDHau3qzBO6tGR5O7x15UW92suopaI22ddkKWz7/rZR+LleVYIvMf
	7itXu0kqp47k7d2CJhPcAZb9u7yWuuM7WxUiqUDZ/hy41ZX/3wdRByp2MAwV27UgM56R78wr3bK
	dR6q1yJkbFbDmXjcP6WQeYiw6cUpL30Ew9zFIVXcKYaEiPIsu5yNTHnEiQnP8tnm6PdBCERaWy5
	aGuh3pZEPZ20yTuQWdUDWU9UaJRB5ty4zIBHMGzEyOChRY8o6+tLMr6TNA6OHp7Nd6bg55fzb5q
	e1YtmEgIj2kjDxiAV+DQe8jPukKI7izWkIeOVRBD2H7f9/5tlpgll169zWnbixCUTWpKpj3NcY/
	6L5y4TUmgGsTW8txjnTUcGT+bHOuNlc4yYa3t1GBSPKQ==
X-Google-Smtp-Source: 
 AGHT+IGZatrd1Mjg+Nhia8Dfmz1nAgU6r7HISTxMbZWQ2yO30LFfqsql/fK1HY1Zg7Pq9Sx9BsZTdw==
X-Received: by 2002:a05:6214:21cc:b0:880:4695:4626 with SMTP id
 6a1803df08f44-8847c4c7bc1mr171890916d6.15.1764006794854;
        Mon, 24 Nov 2025 09:53:14 -0800 (PST)
Received: from rpthibeault-XPS-13-9305.. ([23.233.177.113])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-8846e58ded0sm103284776d6.48.2025.11.24.09.53.13
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 24 Nov 2025 09:53:14 -0800 (PST)
From: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
To: cem@kernel.org
Cc: chandanbabu@kernel.org,
	djwong@kernel.org,
	bfoster@redhat.com,
	david@fromorbit.com,
	hch@infradead.org,
	linux-xfs@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	linux-kernel-mentees@lists.linux.dev,
	syzbot+9f6d080dece587cfdd4c@syzkaller.appspotmail.com,
	Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
Subject: [PATCH v5] xfs: validate log record version against superblock log
 version
Date: Mon, 24 Nov 2025 12:47:00 -0500
Message-ID: <20251124174658.59275-3-rpthibeault@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <aR67xfAFjuVdbgqq@infradead.org>
References: <aR67xfAFjuVdbgqq@infradead.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Syzbot creates a fuzzed record where xfs_has_logv2() but the
xlog_rec_header h_version !=3D XLOG_VERSION_2. This causes a
KASAN: slab-out-of-bounds read in xlog_do_recovery_pass() ->
xlog_recover_process() -> xlog_cksum().

Fix by adding a check to xlog_valid_rec_header() to abort journal
recovery if the xlog_rec_header h_version does not match the super
block log version.

A file system with a version 2 log will only ever set
XLOG_VERSION_2 in its headers (and v1 will only ever set V_1), so if
there is any mismatch, either the journal or the superblock has been
corrupted and therefore we abort processing with a -EFSCORRUPTED error
immediately.

Also, refactor the structure of the validity checks for better
readability. At the default error level (LOW), XFS_IS_CORRUPT() emits
the condition that failed, the file and line number it is
located at, then dumps the stack. This gives us everything we need
to know about the failure if we do a single validity check per
XFS_IS_CORRUPT().

Reported-by: syzbot+9f6d080dece587cfdd4c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3D9f6d080dece587cfdd4c
Tested-by: syzbot+9f6d080dece587cfdd4c@syzkaller.appspotmail.com
Fixes: 45cf976008dd ("xfs: fix log recovery buffer allocation for the legac=
y h_size fixup")
Signed-off-by: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
---
Changelog
v1 -> v2:=20
- reject the mount for h_size > XLOG_HEADER_CYCLE_SIZE && !XLOG_VERSION_2
v2 -> v3:=20
- abort journal recovery if the xlog_rec_header h_version does not=20
match the super block log version
v3 -> v4:=20
- refactor for readability
v4 -> v5:
- stop pretending h_version is a bitmap, remove check using
XLOG_VERSION_OKBITS

 fs/xfs/xfs_log_recover.c | 27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c
index e6ed9e09c027..2ed94be010d0 100644
--- a/fs/xfs/xfs_log_recover.c
+++ b/fs/xfs/xfs_log_recover.c
@@ -2950,18 +2950,23 @@ xlog_valid_rec_header(
 	xfs_daddr_t		blkno,
 	int			bufsize)
 {
+	struct xfs_mount	*mp =3D log->l_mp;
+	u32			h_version =3D be32_to_cpu(rhead->h_version);
 	int			hlen;
=20
-	if (XFS_IS_CORRUPT(log->l_mp,
+	if (XFS_IS_CORRUPT(mp,
 			   rhead->h_magicno !=3D cpu_to_be32(XLOG_HEADER_MAGIC_NUM)))
 		return -EFSCORRUPTED;
-	if (XFS_IS_CORRUPT(log->l_mp,
-			   (!rhead->h_version ||
-			   (be32_to_cpu(rhead->h_version) &
-			    (~XLOG_VERSION_OKBITS))))) {
-		xfs_warn(log->l_mp, "%s: unrecognised log version (%d).",
-			__func__, be32_to_cpu(rhead->h_version));
-		return -EFSCORRUPTED;
+
+	/*
+	 * The log version must match the superblock
+	 */
+	if (xfs_has_logv2(mp)) {
+		if (XFS_IS_CORRUPT(mp, h_version !=3D XLOG_VERSION_2))
+			return -EFSCORRUPTED;
+	} else {
+		if (XFS_IS_CORRUPT(mp, h_version !=3D XLOG_VERSION_1))
+			return -EFSCORRUPTED;
 	}
=20
 	/*
@@ -2969,12 +2974,12 @@ xlog_valid_rec_header(
 	 * and h_len must not be greater than LR buffer size.
 	 */
 	hlen =3D be32_to_cpu(rhead->h_len);
-	if (XFS_IS_CORRUPT(log->l_mp, hlen <=3D 0 || hlen > bufsize))
+	if (XFS_IS_CORRUPT(mp, hlen <=3D 0 || hlen > bufsize))
 		return -EFSCORRUPTED;
=20
-	if (XFS_IS_CORRUPT(log->l_mp,
-			   blkno > log->l_logBBsize || blkno > INT_MAX))
+	if (XFS_IS_CORRUPT(mp, blkno > log->l_logBBsize || blkno > INT_MAX))
 		return -EFSCORRUPTED;
+
 	return 0;
 }
=20
--=20
2.43.0