Linux XFS filesystem development
 help / color / mirror / Atom feed
* [PATCH v3 0/3] xfs: fix NULL deref in log recovery reorder
@ 2026-07-02 16:19 Weiming Shi
  2026-07-02 16:19 ` [PATCH v3 1/3] xfs: drop ASSERT(0) on unrecognized log item type Weiming Shi
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Weiming Shi @ 2026-07-02 16:19 UTC (permalink / raw)
  To: linux-xfs
  Cc: Carlos Maiolino, Darrick J . Wong, Brian Foster,
	Christoph Hellwig, Xiang Mei, Weiming Shi

A crafted on-disk log can commit a transaction whose only item is a bare
transaction header (ri_cnt == 0, ri_buf == NULL).
xlog_recover_reorder_trans() then runs ITEM_TYPE() on it and dereferences
the NULL ri_buf, faulting the kernel at mount time.

v3:
 - patches 1 and 2: picked up the Reviewed-by tags, plus the
   s/encountered/encounter/ fix in patch 2 that Darrick noted
 - patch 3: reworked the changelog per Darrick and Christoph. The empty
   item comes from the len == sizeof(xfs_trans_header) path; the check can
   only run at commit time because a split header may still get regions
   from later ops; and the runtime commit path never emits this, so it is
   only reachable on a crafted log.  It came from an AI-assisted code
   audit of the parser.  Added Cc: stable # v4.3.

Tested on xfs-7.2-fixes with KASAN: the unpatched kernel oopses in
xlog_recover_reorder_trans; the patched kernel fails the mount with
-EFSCORRUPTED and no splat.

Weiming Shi (3):
  xfs: drop ASSERT(0) on unrecognized log item type
  xfs: splice unsorted log items back to the transaction after the loop
  xfs: fail recovery on a committed log item with no regions

 fs/xfs/xfs_log_recover.c | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

-- 
2.43.0


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-07-02 19:45 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-02 16:19 [PATCH v3 0/3] xfs: fix NULL deref in log recovery reorder Weiming Shi
2026-07-02 16:19 ` [PATCH v3 1/3] xfs: drop ASSERT(0) on unrecognized log item type Weiming Shi
2026-07-02 16:19 ` [PATCH v3 2/3] xfs: splice unsorted log items back to the transaction after the loop Weiming Shi
2026-07-02 16:20 ` [PATCH v3] xfs: fail recovery on a committed log item with no regions Weiming Shi
2026-07-02 19:45   ` Darrick J. Wong

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox