From nobody Sat Feb  7 10:08:00 2026
Received: from mail-qv1-f44.google.com (mail-qv1-f44.google.com
 [209.85.219.44])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2816D15539A
	for <linux-kernel@vger.kernel.org>; Thu, 29 Jan 2026 18:54:50 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.219.44
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1769712893; cv=none;
 b=kBi2mCzVyFZFcZ8FeAHWiv3pnX0z+FQJTr9FH4ZVmtjeTg3L1JxSAGSQ2NB+juO9wz1XaV5lQ+Y/+80+q8tR72HAdZPgaDl/U6E66EZPnL1vuwiT1jQPD9CluhLzQzwvGDCHZxXlq9c5douH56p3vttqFoztAdGhLenNbFPUrSs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1769712893; c=relaxed/simple;
	bh=Aw2wHVrexoVZGyhk0clT+2VM4+EmOe0HDf/6rdCKoyw=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=TviaeObPvkal1axeG9/6sKAARFSG/KoUxmzlGQzCd8NUwrAxPX7EbE5BydxfHuVBBQweIOglfeeQnAD61oQ1E7DW86un/1eVou2QhD3uUEnMHSKlb7uc4en3do0P/G8fsEAsIgOfsm9EzzXzqYSIOVY1/yFuHv6jINR6z8b9rlM=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=UDAeG+N2; arc=none smtp.client-ip=209.85.219.44
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="UDAeG+N2"
Received: by mail-qv1-f44.google.com with SMTP id
 6a1803df08f44-8946a794e4fso15229846d6.2
        for <linux-kernel@vger.kernel.org>;
 Thu, 29 Jan 2026 10:54:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769712889; x=1770317689;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=CTj4HpTxAxVEHWIobCBR+N5vCDEK+9mJIye5sdZ5jcc=;
        b=UDAeG+N24OlON+D/eOO2AEu2She99jjb4a/w2AZTHCiH6JyndieJuuRk6yLPxU4WNP
         dLVPm7iHO1MFWLWPssuhIC9AbUn3NaHE646tQQP6siWiQx7Zd8aGdFr+LB9SwC541dqq
         ZRz7RwGYKqGzF82Vj6UAYdS48kDxcTwy8sAepwsg9qHz5tPp1xrob50TiedOpCVmB3ev
         jhKkHXu3NcmK8IiaKNyWuCX+cTm6/F0r5LPIqa/ZaSOcmQu960LVcggSbE3JN6DCMXdv
         RviN4rBWS39LaiaPJj/hsfHIDV2POncJxsVqRNVfsbMtsh1HX/L6m2NbYIgEHf9fQksM
         2Jbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769712889; x=1770317689;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=CTj4HpTxAxVEHWIobCBR+N5vCDEK+9mJIye5sdZ5jcc=;
        b=UXrh68PHPlSWcv/uTVWnONtuju8kQ5rUpIYa7/bejYORilT1sqzJ9YAOBUly9MamN9
         FVyFNYqeeoktPmYbDjeiXNhmcT488xkMdT2/iy+wK6p/89bcNWqS9IYJiSnRPWskJJZb
         V2sbcuQ7Q8gyaJGnlmOkDPIxxClJIByKFwBZWHbVvT8RDW6JQTLkSPZ910ReboJ5cTOH
         4b2Fp/UBK5R5LSqwFWvpFdtb4M+2rePDvUBp50WNtiUuUiUzWM2j88tiESdFjBhy8kbT
         G91HdH5kRU/pVGwfyzqL1Bsfw6wplUyQXTg+07isLWQlQs58mUpZ6OjhMR9XETPA/vLP
         ma8w==
X-Forwarded-Encrypted: i=1;
 AJvYcCXAvBK+3jhFaIfwbUUihkLylzRnp7YF/JcqPpmQdD23VCkpB5DaJU4JFMdbHne96JMvLqusfx2w0M882RQ=@vger.kernel.org
X-Gm-Message-State: AOJu0YyVy2mwR+lqmp5pk+0urCcVnSTOhgqE1fndnvu4ynveoUTwGaYq
	yxY+4Cyswem4cXHacxMfJ6gKGtsJb21glZeUy2uqSRcxAxEZR76OHdud
X-Gm-Gg: AZuq6aK0Ny57sR1UmyJwLQ4l4AFAIK/Y63oE8LWLlETTiYW3p58l30dMC4GU8AW1Dig
	PjwFmY+i4qtmRb5WhrblMM3TLXirUzpoeiatJN1iI+9Y4HItZ8Ie6BcOBvHRBzzTcQYuCGeDSG2
	0xKdvJPNVkWMfSmZB7VNsS2/YNt+eOUTSohldtzCNqALtpyIDBy/OtCPdq70hDxn+ZWHQnHx16b
	RlFLSFVv8tzJVolJ0x0VOBmIWYj1LwJfKbn4Y3XgYwFECwg0EJ1ZE7TVtSOSmZjgA/B/Jr2cuvC
	Hy9GqYBGTW2hMbgAltJijVxUe3CP4O5XjVjUZI/ad7pMgqC1SJo5zIf0VlUDGWkm17PIDOeK8mk
	3IG56n2krK6vb9ku4j3DzvREkdG6YZZAFGIyZYd7pkY5Xz7GwZjRt3kGRFwqE8n+beq0F1A96Ik
	el7oy9zJFObR02bnAK2tmxF1BoFs5DmYI=
X-Received: by 2002:a05:622a:11cd:b0:501:52c9:f19e with SMTP id
 d75a77b69052e-505d22751c1mr5050921cf.41.1769712889125;
        Thu, 29 Jan 2026 10:54:49 -0800 (PST)
Received: from rpthibeault-XPS-13-9305.. ([23.233.177.113])
        by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-894d375eb4dsm43363356d6.46.2026.01.29.10.54.48
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 29 Jan 2026 10:54:48 -0800 (PST)
From: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
To: cem@kernel.org
Cc: chandanbabu@kernel.org,
	djwong@kernel.org,
	bfoster@redhat.com,
	linux-xfs@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>,
	syzbot+9f6d080dece587cfdd4c@syzkaller.appspotmail.com,
	Christoph Hellwig <hch@lst.de>
Subject: [PATCH v6] xfs: validate log record version against superblock log
 version
Date: Thu, 29 Jan 2026 13:50:21 -0500
Message-ID: <20260129185020.679674-2-rpthibeault@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Syzbot creates a fuzzed record where xfs_has_logv2() but the
xlog_rec_header h_version !=3D XLOG_VERSION_2. This causes a
KASAN: slab-out-of-bounds read in xlog_do_recovery_pass() ->
xlog_recover_process() -> xlog_cksum().

Fix by adding a check to xlog_valid_rec_header() to abort journal
recovery if the xlog_rec_header h_version does not match the super
block log version.

A file system with a version 2 log will only ever set
XLOG_VERSION_2 in its headers (and v1 will only ever set V_1), so if
there is any mismatch, either the journal or the superblock has been
corrupted and therefore we abort processing with a -EFSCORRUPTED error
immediately.

Also, refactor the structure of the validity checks for better
readability. At the default error level (LOW), XFS_IS_CORRUPT() emits
the condition that failed, the file and line number it is
located at, then dumps the stack. This gives us everything we need
to know about the failure if we do a single validity check per
XFS_IS_CORRUPT().

Reported-by: syzbot+9f6d080dece587cfdd4c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3D9f6d080dece587cfdd4c
Tested-by: syzbot+9f6d080dece587cfdd4c@syzkaller.appspotmail.com
Fixes: 45cf976008dd ("xfs: fix log recovery buffer allocation for the legac=
y h_size fixup")
Signed-off-by: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
---
Changelog
v1 -> v2:=20
- reject the mount for h_size > XLOG_HEADER_CYCLE_SIZE && !XLOG_VERSION_2
v2 -> v3:=20
- abort journal recovery if the xlog_rec_header h_version does not=20
match the super block log version
v3 -> v4:=20
- refactor for readability
v4 -> v5:
- stop pretending h_version is a bitmap, remove check using
XLOG_VERSION_OKBITS
v5 -> v6:
- added Reviewed-by tags

It seems that this patch has fallen through the cracks, so I have
resend'd with the Reviewed-by tags.
Link to original thread:
https://lore.kernel.org/all/20251112141032.2000891-3-rpthibeault@gmail.com/

 fs/xfs/xfs_log_recover.c | 27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c
index 03e42c7dab56..e9a3e21af34a 100644
--- a/fs/xfs/xfs_log_recover.c
+++ b/fs/xfs/xfs_log_recover.c
@@ -2953,18 +2953,23 @@ xlog_valid_rec_header(
 	xfs_daddr_t		blkno,
 	int			bufsize)
 {
+	struct xfs_mount	*mp =3D log->l_mp;
+	u32			h_version =3D be32_to_cpu(rhead->h_version);
 	int			hlen;
=20
-	if (XFS_IS_CORRUPT(log->l_mp,
+	if (XFS_IS_CORRUPT(mp,
 			   rhead->h_magicno !=3D cpu_to_be32(XLOG_HEADER_MAGIC_NUM)))
 		return -EFSCORRUPTED;
-	if (XFS_IS_CORRUPT(log->l_mp,
-			   (!rhead->h_version ||
-			   (be32_to_cpu(rhead->h_version) &
-			    (~XLOG_VERSION_OKBITS))))) {
-		xfs_warn(log->l_mp, "%s: unrecognised log version (%d).",
-			__func__, be32_to_cpu(rhead->h_version));
-		return -EFSCORRUPTED;
+
+	/*
+	 * The log version must match the superblock
+	 */
+	if (xfs_has_logv2(mp)) {
+		if (XFS_IS_CORRUPT(mp, h_version !=3D XLOG_VERSION_2))
+			return -EFSCORRUPTED;
+	} else {
+		if (XFS_IS_CORRUPT(mp, h_version !=3D XLOG_VERSION_1))
+			return -EFSCORRUPTED;
 	}
=20
 	/*
@@ -2972,12 +2977,12 @@ xlog_valid_rec_header(
 	 * and h_len must not be greater than LR buffer size.
 	 */
 	hlen =3D be32_to_cpu(rhead->h_len);
-	if (XFS_IS_CORRUPT(log->l_mp, hlen <=3D 0 || hlen > bufsize))
+	if (XFS_IS_CORRUPT(mp, hlen <=3D 0 || hlen > bufsize))
 		return -EFSCORRUPTED;
=20
-	if (XFS_IS_CORRUPT(log->l_mp,
-			   blkno > log->l_logBBsize || blkno > INT_MAX))
+	if (XFS_IS_CORRUPT(mp, blkno > log->l_logBBsize || blkno > INT_MAX))
 		return -EFSCORRUPTED;
+
 	return 0;
 }
=20
--=20
2.43.0