mirror of https://lore.kernel.org/lkml/
 help / color / mirror / Atom feed
From: Michael Bommarito <michael.bommarito@gmail.com>
To: Christoph Hellwig <hch@infradead.org>
Cc: "Darrick J. Wong" <djwong@kernel.org>,
	Carlos Maiolino <cem@kernel.org>,
	linux-xfs@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] xfs: detect cycles in recovered unlinked inode lists
Date: Tue, 19 May 2026 08:48:33 -0400	[thread overview]
Message-ID: <20260519124833.2020871-1-michael.bommarito@gmail.com> (raw)
In-Reply-To: <agwfrZAchLLFX7c7@infradead.org>

Hi Christoph,

This research agenda and patch comes from a hardening project
focused on automount filesystems in major modern distros.
Maybe the USB stick threat model isn't worth the patch for
just DoS impact, but that's at least why I thought it worth
submitting in the first place.

I looked more closely at current xfsprogs for-next
to answer Darrick's repair question.  Plain xfs_repair refuses
the reproducer because the log is dirty and needs replay; that
replay is the mount-time path that hangs on the vulnerable kernel.

xfs_repair -n diagnoses the AGI unlinked bucket and inode
next_unlinked damage, and xfs_repair -L clears the bucket /
next_unlinked state and repairs the image, with the usual log-loss
caveat.

I also found a narrower userspace diagnostic issue: xfs_db
dump_iunlinked follows di_next_unlinked until NULLAGINO and will
spin on the same self-cycle.  xfs_repair itself does not appear to
use that unbounded walker in the tested repair path, and xfs_scrub
userspace is mostly driving the kernel scrub ioctls.

To be fully safe from automount attacks, I think both sides would
need to be addressed.

Your bigger point about regressions and test coverage is still
valid though.  FWIW, I have been talking with some other fs
maintainers about adding test/ fuzzing coverage either in-tree
or external.  I would be happy to help with add XFS coverage
as part of that project, although I'd defer to your preference
about where those tests should actually live.

All that said, just let me know if you still want a v2 based
on the threat model.

Thanks,
Mike

  reply	other threads:[~2026-05-19 12:48 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-18  1:31 Michael Bommarito
2026-05-19  5:02 ` Darrick J. Wong
2026-05-19  8:30   ` Christoph Hellwig
2026-05-19 12:48     ` Michael Bommarito [this message]
2026-05-20 12:19       ` Carlos Maiolino
2026-05-20 12:46         ` Michael Bommarito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260519124833.2020871-1-michael.bommarito@gmail.com \
    --to=michael.bommarito@gmail.com \
    --cc=cem@kernel.org \
    --cc=djwong@kernel.org \
    --cc=hch@infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-xfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Powered by JetHome