Reproduction Details
- I encountered a kernel panic stack trace pointing to this issue
during XFS recovery while booting from an initramfs.
- The root partition was mounted, and recovery was being performed.
- Unfortunately, I havenâ??t been able to reproduce the issue locally,
corrupting the xfs partition while performing inode modifications.
Analysis
Hereâ??s a breakdown of how the issue seems to occur:
In xlog_recover_buf_commit_pass2, the following condition must be met:
if (buf_f->blf_flags & XFS_BLF_INODE_BUF)
buf_flags |= XBF_UNMAPPED;
During xfs_buf_read, there is a code path which can lead to bp->b_addr
not being allocated:
xlog_recover_buf_commit_pass2 -> xfs_buf_read -> xfs_buf_read_map
-> xfs_buf_get_map -> xfs_buf_find_insert
If xfs_buf_find_insert is not called or does not call
xfs_buf_alloc_kmem, allocation of bp->b_addr may not occur.
In _xfs_buf_map_pages, which is called after xfs_buf_find_insert,
following check:
if (bp->b_page_count == 1)
can evaluate to false, leading to:
} else if (flags & XBF_UNMAPPED) {
bp->b_addr = NULL;
}
which leaves bp->b_addr as NULL but still returns success (error = 0).
The recovery process proceeds, resulting in the null pointer
dereference in xlog_recover_get_buf_lsn.
Suggested Fix
